OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability

nospamgmail.it
Date: Wed Mar 28 2012 - 12:40:29 CDT


D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability

tested against: Microsoft Windows Server 2003 r2 sp2
                Internet Explorer 7/8

Live demo: http://203.125.227.70/eng/index.cgi
username: dlink
password: dlink

product homepage: http://www.d-link.com/products/?pid=771

product description:
"The DCS-5605 is a high performance camera for professional surveillance
and remote monitoring. This network camera features motorized pan,
tilt, and optical/digital zoom for ultimate versatility. The 10x optical
zoom lens delivers the level of detail necessary to identify faces, license
plate numbers, and other important details that are difficult to
clearly distinguish using digital zoom alone"

background:
When browsing the device web interface, the user
is asked to install an ActiveX control to stream
video content. This control has the following settings:

Description: Camera Stream Client Control
File version: 1.0.0.4519
Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
ProgID: DcsCliCtrl.DCSStrmControl.1
GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
Implements IObjectSafety: Yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): True

Vulnerability:
the ActiveX control exposes the SelectDirectory()
method which supports one optional argument.
See typelib:
..
/* DISPID=22 */
        /* VT_BSTR [8] */
        function SelectDirectory(
                /* VT_VARIANT [12] [in] */ $varDefPath
                )
        {
                /* method SelectDirectory */
        }
..

This method suffers of a stack based buffer overflow vulnerability
because an unsafe lstrcpyW() call inside DcsCliCtrl.dll:

..
100712E0 81EC 34040000 sub esp,434
100712E6 A1 2C841010 mov eax,dword ptr ds:[1010842C]
100712EB 33C4 xor eax,esp
100712ED 898424 30040000 mov dword ptr ss:[esp+430],eax
100712F4 53 push ebx
100712F5 8B9C24 48040000 mov ebx,dword ptr ss:[esp+448]
100712FC 55 push ebp
100712FD 8BAC24 40040000 mov ebp,dword ptr ss:[esp+440]
10071304 56 push esi
10071305 8BB424 4C040000 mov esi,dword ptr ss:[esp+44C]
1007130C 57 push edi
1007130D 8BBC24 4C040000 mov edi,dword ptr ss:[esp+44C]
10071314 68 08020000 push 208
10071319 8D4424 34 lea eax,dword ptr ss:[esp+34]
1007131D 6A 00 push 0
1007131F 50 push eax
10071320 E8 0BC40300 call DcsCliCt.100AD730
10071325 83C4 0C add esp,0C
10071328 85F6 test esi,esi
1007132A 74 0C je short DcsCliCt.10071338
1007132C 56 push esi
1007132D 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
10071331 51 push ecx
10071332 FF15 D4D20C10 call dword ptr ds:[<&KERNEL32.lstrcpyW>] ; kernel32.lstrcpyW <-------------
..

An attacker could entice a remote user to browse a web
page to gain control of the victim browser, by passing an overlong string to
the mentioned method and overwriting critical structures (SEH).

As attachment proof of concept code.

Note, to reproduce the wanted crash:
when the SelectDirectory() method is called the
user is asked to select a destination folder for the stream recorder.
To set EIP to 0x0c0c0c0c select a folder of choice, then proceed.
When clicking Cancel you have an unuseful crash, however it could be
possible that modifying the poc you will have EIP overwritten aswell.

I think that it is also possible that other products might carry this dll,
I could post an update if I find more.

Additional note:

0:029> lm -vm DcsCliCtrl
start end module name
08450000 0859e000 DcsCliCtrl (deferred)
    Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
    Image name: DcsCliCtrl.dll
    Timestamp: Thu Aug 19 08:48:47 2010 (4C6CD3CF)
    CheckSum: 001325EC
    ImageSize: 0014E000
    File version: 1.0.0.4519
    Product version: 1.0.0.1
    File flags: 0 (Mask 3F)
    File OS: 4 Unknown Win32
    File type: 2.0 Dll
    File date: 00000000.00000000
    Translations: 0409.04e4
    ProductName: Camera Streaming Client
    InternalName: DcsCliCtrl.dll
    OriginalFilename: DcsCliCtrl.dll
    ProductVersion: 1.0.0.1
    FileVersion: 1.0.0.4519
    FileDescription: Camera Stream Client Control
    LegalCopyright: Copyright: (c) All rights reserved.

original url: http://retrogod.altervista.org/9sg_dlink_adv.htm
poc: http://retrogod.altervista.org/9sg_dlink_poc.htm