TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow camera demo http://67.203.184.58:9193/admin/view.cgi?profile=0 username=guest password=guest Background: The mentioned product, when browsing the device web interface, asks to install an ActiveX control to stream video content. It has the following settings: File version: 1, 1, 52, 18 Product name: UltraMJCam device ActiveX Control Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx ProgID: UltraMJCam.UltraMJCam.1 CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11} Implements IObjectSafety: yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True Vulnerability: This ActiveX control exposed the vulnerable OpenFileDlg() method, see typelib: .. /* DISPID=101 */ /* VT_BSTR [8] */ function OpenFileDlg( /* VT_BSTR [8] [in] */ $sFilter ) { /* method OpenFileDlg */ } .. By invoking this method with an overlong argument is possible to overflow a buffer. This is because of an insecure WideCharToMultiByte() call inside UltraMJCamX.ocx: Call stack of main thread Address Stack Procedure / arguments Called from Frame 001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C 00127A10 0299F958 kernel32.WideCharToMultiByte UltraMJC.0299F952 00127A0C 00127A14 00000003 CodePage = 3 00127A18 00000000 Options = 0 00127A1C 03835C5C WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00127A20 FFFFFFFF WideCharCount = FFFFFFFF (-1.) 00127A24 00127A50 MultiByteStr = 00127A50 00127A28 00007532 MultiByteCount = 7532 (30002.) 00127A2C 00000000 pDefaultChar = NULL 00127A30 00000000 pDefaultCharUsed = NULL 00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38 .. 0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8] 0299F937 C600 00 mov byte ptr ds:[eax],0 0299F93A 6A 00 push 0 0299F93C 6A 00 push 0 0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10] 0299F941 51 push ecx 0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8] 0299F945 52 push edx 0299F946 6A FF push -1 0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C] 0299F94B 50 push eax 0299F94C 6A 00 push 0 0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14] 0299F951 51 push ecx 0299F952 FF15 20319F02 call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------ .. The result is that critical structures are overwritten (SEH) allowing to execute arbitrary code against the target browser. As attachment, basic proof of concept code. original url: http://retrogod.altervista.org/9sg_trendnet_adv.htm poc: http://retrogod.altervista.org/9sg_trendnet_poc.htm
