D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability



D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability

tested against: Microsoft Windows Server 2003 r2 sp2
Internet Explorer 7/8

Live demo: http://203.125.227.70/eng/index.cgi
username: dlink
password: dlink

product homepage: http://www.d-link.com/products/?pid=771

product description:
"The DCS-5605 is a high performance camera for professional surveillance
and remote monitoring. This network camera features motorized pan,
tilt, and optical/digital zoom for ultimate versatility. The 10x optical
zoom lens delivers the level of detail necessary to identify faces, license
plate numbers, and other important details that are difficult to
clearly distinguish using digital zoom alone"

background:
When browsing the device web interface, the user
is asked to install an ActiveX control to stream
video content. This control has the following settings:

Description: Camera Stream Client Control
File version: 1.0.0.4519
Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
ProgID: DcsCliCtrl.DCSStrmControl.1
GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
Implements IObjectSafety: Yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): True


Vulnerability:
the ActiveX control exposes the SelectDirectory()
method which supports one optional argument.
See typelib:
..
/* DISPID=22 */
/* VT_BSTR [8] */
function SelectDirectory(
/* VT_VARIANT [12] [in] */ $varDefPath
)
{
/* method SelectDirectory */
}
..

This method suffers of a stack based buffer overflow vulnerability
because an unsafe lstrcpyW() call inside DcsCliCtrl.dll:


..
100712E0 81EC 34040000 sub esp,434
100712E6 A1 2C841010 mov eax,dword ptr ds:[1010842C]
100712EB 33C4 xor eax,esp
100712ED 898424 30040000 mov dword ptr ss:[esp+430],eax
100712F4 53 push ebx
100712F5 8B9C24 48040000 mov ebx,dword ptr ss:[esp+448]
100712FC 55 push ebp
100712FD 8BAC24 40040000 mov ebp,dword ptr ss:[esp+440]
10071304 56 push esi
10071305 8BB424 4C040000 mov esi,dword ptr ss:[esp+44C]
1007130C 57 push edi
1007130D 8BBC24 4C040000 mov edi,dword ptr ss:[esp+44C]
10071314 68 08020000 push 208
10071319 8D4424 34 lea eax,dword ptr ss:[esp+34]
1007131D 6A 00 push 0
1007131F 50 push eax
10071320 E8 0BC40300 call DcsCliCt.100AD730
10071325 83C4 0C add esp,0C
10071328 85F6 test esi,esi
1007132A 74 0C je short DcsCliCt.10071338
1007132C 56 push esi
1007132D 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
10071331 51 push ecx
10071332 FF15 D4D20C10 call dword ptr ds:[<&KERNEL32.lstrcpyW>] ; kernel32.lstrcpyW <-------------
..

An attacker could entice a remote user to browse a web
page to gain control of the victim browser, by passing an overlong string to
the mentioned method and overwriting critical structures (SEH).

As attachment proof of concept code.

Note, to reproduce the wanted crash:
when the SelectDirectory() method is called the
user is asked to select a destination folder for the stream recorder.
To set EIP to 0x0c0c0c0c select a folder of choice, then proceed.
When clicking Cancel you have an unuseful crash, however it could be
possible that modifying the poc you will have EIP overwritten aswell.


I think that it is also possible that other products might carry this dll,
I could post an update if I find more.

Additional note:

0:029> lm -vm DcsCliCtrl
start end module name
08450000 0859e000 DcsCliCtrl (deferred)
Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
Image name: DcsCliCtrl.dll
Timestamp: Thu Aug 19 08:48:47 2010 (4C6CD3CF)
CheckSum: 001325EC
ImageSize: 0014E000
File version: 1.0.0.4519
Product version: 1.0.0.1
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
ProductName: Camera Streaming Client
InternalName: DcsCliCtrl.dll
OriginalFilename: DcsCliCtrl.dll
ProductVersion: 1.0.0.1
FileVersion: 1.0.0.4519
FileDescription: Camera Stream Client Control
LegalCopyright: Copyright: (c) All rights reserved.

original url: http://retrogod.altervista.org/9sg_dlink_adv.htm
poc: http://retrogod.altervista.org/9sg_dlink_poc.htm



Relevant Pages

  • Re: Corporate Web based email - threats
    ... We did a thorough analysis on iNotes and in summary found what you noted. ... legal reasons) that clean the remote PC's leftovers before logoff. ... You need end to end control - including the human at the remote keyboard ... lot of possibility to penetrate user sessions starting from stolen session ...
    (Security-Basics)
  • Click
    ... Adam Sandler plays Michael Newman, experiencing the pathos that come trying to meet the simultaneous and contrary demands of a family and a career. ... Only the execution is new, albeit sometimes clumsy, which developed almost seamlessly from Newman's desire for a single remote unit to control the various electronic components and appliances in his home. ... These were the parts that felt like filler to me, as they lent nothing to anything, so the film at that point seemed like it was lacking something, that the filmmakers knew it, and they were hoping to hide it. ...
    (rec.arts.movies.current-films)
  • Re: Click
    ... Sandler plays Michael Newman, experiencing the pathos that come trying ... almost seamlessly from Newman's desire for a single remote unit to ... control the various electronic components and appliances in his home. ... You are lulled into thinking the rest of the movie will be more of the ...
    (rec.arts.movies.current-films)
  • Re: Server 2008: Shared or concurrent remote desktop access
    ... Full Control with user's permission ... Full Control without user's permission ... View Session without user's permission. ... Is there any way at all with Windows Server 2008's remote desktop (or other ...
    (microsoft.public.windows.server.general)
  • Re: Need simple design for remote control of outdoor lighting system
    ... I would like to setup a control remote system for my outdoor lighting ... I purchased the remote control device that closes a relay for about 500 msec ... coil is energized, it initially does nothing, but when the coil is ...
    (sci.electronics.design)