TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF
Title: TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF
Advisory ID: ZSL-2014-5211
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 25.11.2014
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[2] http://packetstormsecurity.com/files/129262
[3] http://cxsecurity.com/issue/WLB-2014110169
[4] http://osvdb.org/show/osvdb/115037
[5] http://www.securityfocus.com/bid/71292
[6] http://www.vfocus.net/art/20141126/11848.html
[7] http://www.scip.ch/en/?vuldb.68288
[8] http://xforce.iss.net/xforce/xfdb/98948
[9] http://secunia.com/advisories/60244/
[10] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10011
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10011
[26.11.2014] - Added reference [3], [4] and [5]
[27.11.2014] - Added reference [6]
[02.12.2014] - Added reference [7] and [8]
[21.12.2014] - Added reference [9]
[17.01.2015] - Added reference [10] and [11]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5211
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 25.11.2014
Summary
SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerful dual-codec wireless network camera with the 2-way audio function that provides the high-quality image and on-the-spot audio via the Internet connection.Description
The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to several functions in UltraCamLib, resulting in memory corruption overwriting severeal registers including the SEH. An attacker can gain access to the system of the affected node and execute arbitrary code.--------------------------------------------------------------------------------
0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0 mov ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141
--------------------------------------------------------------------------------
Vendor
TRENDnet - http://www.trendnet.comAffected Version
TV-IP422WN/TV-IP422WTested On
Microsoft Windows 7 Professional SP1 (EN)Vendor Status
N/APoC
trendnet_bof.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.exploit-db.com/exploits/35363/[2] http://packetstormsecurity.com/files/129262
[3] http://cxsecurity.com/issue/WLB-2014110169
[4] http://osvdb.org/show/osvdb/115037
[5] http://www.securityfocus.com/bid/71292
[6] http://www.vfocus.net/art/20141126/11848.html
[7] http://www.scip.ch/en/?vuldb.68288
[8] http://xforce.iss.net/xforce/xfdb/98948
[9] http://secunia.com/advisories/60244/
[10] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10011
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10011
Changelog
[25.11.2014] - Initial release[26.11.2014] - Added reference [3], [4] and [5]
[27.11.2014] - Added reference [6]
[02.12.2014] - Added reference [7] and [8]
[21.12.2014] - Added reference [9]
[17.01.2015] - Added reference [10] and [11]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk