COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow
Title: COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow
Advisory ID: ZSL-2021-5663
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 15.08.2021
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Microsoft Internet Explorer 20H2
[03.08.2021] Vendor contacted.
[04.08.2021] Vendor contacted.
[05.08.2021] No response from the vendor.
[06.08.2021] Vendor contacted.
[14.08.2021] No response from the vendor.
[15.08.2021] Public security advisory released.
[2] https://packetstormsecurity.com/files/163845
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/207576
[4] https://www.exploit-db.com/exploits/50231
[5] https://cxsecurity.com/issue/WLB-2021090009
[23.08.2021] - Added reference [2] and [3]
[09.09.2021] - Added reference [4] and [5]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2021-5663
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 15.08.2021
Summary
COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR.Description
The vulnerability is caused due to a boundary error in the processing of user input, which can be exploited to cause a buffer overflow when a user inserts overly long array of string bytes through several functions. Successful exploitation could allow execution of arbitrary code on the affected node.--------------------------------------------------------------------------------
(5220.5b30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL -
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aa rep stos byte ptr es:[edi]
0:038:x86> r
eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141
eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aa rep stos byte ptr es:[edi]
--------------------------------------------------------------------------------
Vendor
COMMAX Co., Ltd. - https://www.commax.comAffected Version
2.1.4.5Tested On
Microsoft Windows 10 Home (64bit) ENMicrosoft Internet Explorer 20H2
Vendor Status
[02.08.2021] Vulnerability discovered.[03.08.2021] Vendor contacted.
[04.08.2021] Vendor contacted.
[05.08.2021] No response from the vendor.
[06.08.2021] Vendor contacted.
[14.08.2021] No response from the vendor.
[15.08.2021] Public security advisory released.
PoC
commax_bof.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5664.php[2] https://packetstormsecurity.com/files/163845
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/207576
[4] https://www.exploit-db.com/exploits/50231
[5] https://cxsecurity.com/issue/WLB-2021090009
Changelog
[15.08.2021] - Initial release[23.08.2021] - Added reference [2] and [3]
[09.09.2021] - Added reference [4] and [5]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk