Samsung NET-i ware 1.37 – Multiple Vulnerabilities

• Exploit Database
• 103 阅读

• 作者： Luigi Auriemma
  日期： 2012-04-22
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18765/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113

  #######################################################################   Luigi Auriemma   Application:Samsung NET-i ware http://www.samsungsecurity.com/product/product_view.asp?idx=6447 http://www.samsungsecurity.com/product/product_view.asp?idx=5828 Versions: <= 1.37 Platforms:Windows Bugs: A] Endless loop in remote services B] Code execution in ConnectDDNS ActiveX C] Stack overflow in BackupToAvi ActiveX Exploitation: remote Date: 21 Apr 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org     #######################################################################     1) Introduction 2) Bugs 3) The Code 4) Fix     #######################################################################   =============== 1) Introduction ===============     "Recording software for Samsung network cameras".     #######################################################################   ======= 2) Bugs =======     ---------------------------------- A] Endless loop in remote services ----------------------------------   All the NET-i ware services are affected by an endless loop caused by the wrong handling of negative 32bit size fields.     ---------------------------------------- B] Code execution in ConnectDDNS ActiveX ----------------------------------------   Code execution vulnerability in the ConnectDDNS method used by the following ActiveX components: - EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3 - 17A7F731-C9EC-461C-B813-2F42A1BB58EB   10022F80 8B02 MOV EAX,DWORD PTR DS:[EDX] 10022F82 8B4D E8MOV ECX,DWORD PTR SS:[EBP-18] 10022F85 FF10 CALL DWORD PTR DS:[EAX]   The bug is not much reliable to replicate so I report it just for reference. No additional research performed.     ---------------------------------------- C] Stack overflow in BackupToAvi ActiveX ----------------------------------------   Stack overflow in the BackupToAvi method used by the ActiveX components 3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A and 208650B1-3CA1-4406-926D-45F2DBB9C299.     #######################################################################   =========== 3) The Code ===========     A] http://aluigi.org/testz/udpsz.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip   NiwMasterService: udpsz -b 0x80 -T SERVER 4505 0x28   NiwStorageService: udpsz -T -c "REM" 0 -C 80808080 0x10 SERVER 4508 0x14   B,C] http://aluigi.org/poc/netiware_1b.zip     #######################################################################   ====== 4) Fix ======     No fix.     #######################################################################