RBS S Pocketnet Tech MediaViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities of 14

Similar documents
RBS Asante VMS ActiveXCoat ActiveX Control ConnectToVMS() Method Heap Buffer Overflow of 7

RBS of 6

RBS OpenEMR Multisite Setup Improper Access Restriction Remote Code Execution of 5

RBS EverFocus Electronics Corp EPlusOcx ActiveX Control Multiple Stack Buffer Overflows of 10

RBS Axis Products Management Web Interface Multiple Vulnerabilities of 9

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

RBS Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service.

RBS NetGain Enterprise Manager Web Interface Multiple Vulnerabilities of 9

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

RiskSense Attack Surface Validation for Web Applications

locuz.com SOC Services

Chapter 5: Vulnerability Analysis

Carbon Black PCI Compliance Mapping Checklist

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

Advanced Security Tester Course Outline

align security instill confidence

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Medical Device Vulnerability Management

Microsoft SDL 한국마이크로소프트보안프로그램매니저김홍석부장. Security Development Lifecycle and Building Secure Applications

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Integrated, Intelligence driven Cyber Threat Hunting

Training for the cyber professionals of tomorrow

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

Suma Soft s IT Risk & Security Management Solutions for Global Enterprises

ForeScout ControlFabric TM Architecture

MWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents

Qualys Indication of Compromise

COMP3441 Lecture 7: Software Vulnerabilities

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

ForeScout Extended Module for Splunk

NW NATURAL CYBER SECURITY 2016.JUNE.16

ForeScout Extended Module for ArcSight

Cybersecurity Auditing in an Unsecure World

Assessing Your Incident Response Capabilities Do You Have What it Takes?

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Cyber security for digital substations. IEC Europe Conference 2017

ALIENVAULT USM FOR AWS SOLUTION GUIDE

the SWIFT Customer Security

MODULE: INTERNET SECURITY ASSIGNMENT TITLE: INTERNET SECURITY DECEMBER 2012

RiskSense Attack Surface Validation for IoT Systems

deep (i) the most advanced solution for managed security services

Agile Security Solutions

Security. Made Smarter.

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Reinvent Your 2013 Security Management Strategy

CloudSOC and Security.cloud for Microsoft Office 365

Global Response Centre (GRC) & CIRT Lite. Regional Cyber security Forum 2009, Hyderabad, India 23 rd to 25 th September 2009

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

IoT & SCADA Cyber Security Services

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Secure Development Lifecycle

Cyber Security for Process Control Systems ABB's view

Vulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Think Like an Attacker

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Microsoft Security Management

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

RSA IT Security Risk Management

NIST Special Publication

CMPSC 497 Buffer Overflow Vulnerabilities

Verification & Validation of Open Source

Cyber Security Requirements for Supply Chain. June 17, 2015

Cyber Resilience - Protecting your Business 1

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Cyber Security. Our part of the journey

SOLUTION BRIEF Virtual CISO

Cyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event.

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Taking Control of Your Application Security

An ICS Whitepaper Choosing the Right Security Assessment

Managed Security Services - Endpoint Managed Security on Cloud

Business Context: Key for Successful Risk Management

Microsoft Office Protected-View Out-Of- Bound Array Access

Mapping BeyondTrust Solutions to

Are Mobile Technologies Safe Enough for Industrie 4.0?

Effective Threat Modeling using TAM

Are we breached? Deloitte's Cyber Threat Hunting

ForeScout Extended Module for Qualys VM

Cloud Essentials for Architects using OpenStack

Toward All-Hazards Security and Resilience for the Power Grid

Choosing the Right Security Assessment

Cybersecurity The Evolving Landscape

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

Vulnerability Management. June Risk Advisory

Transcription:

RBS 2014 005 3S Pocketnet Tech MediaViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities 2015 05 06 1 of 14

Table of Contents Table of Contents 2 About Risk Based Security 3 Company History 3 Solutions 3 Vulnerable Program Details 4 References 4 Credits 4 Vulnerability Details 5 SetDisplayText() Method 5 Multiple Methods sonvif_url Argument 6 GetONVIFStreamUri() Method 8 SaveCurrentImage() Method 9 SaveCurrentImageEx() Method 11 StartRecord(), StartRecordEx(), and StartScheduledRecord() Methods 12 Solution 14 Timeline 14 2015 05 06 2 of 14

About Risk Based Security Risk Based Security offers clients fully integrated security solutions, combining real time vulnerability and threat data, as well as the analytical resources to understand the implications of the data, resulting in not just security, but the right security. Company History Risk Based Security, Inc. (RBS) was established in early 2011 to better support the many users and initiatives of the Open Security Foundation including the OSVDB and DataLossDB projects. RBS was created to transform this wealth of security data into actionable information by enhancing the research available, and providing a first of its kind risk identification and evidence based security management service. As a data driven and vendor neutral organization, RBS is able to deliver focused security solutions that are timely, cost effective, and built to address the specific threats and vulnerabilities most relevant to the organizations we serve. We not only maintain vulnerability and data breach databases, we also use this information to inform our entire practice. Solutions VulnDB Vulnerability intelligence, alerting, and third party library tracking based on the largest and most comprehensive vulnerability database. Available as feature rich SaaS portal or powerful API Cyber Risk Analytics Extensive data breach database including interactive dashboards and breach analytics. Clients are able to gather and analyze security threat and data breach information on businesses, industries, geographies, and causes of loss. YourCISO Revolutionary service that provides organizations an affordable security solution including policies, vulnerability scans, awareness material, incident response, and access to high quality information security resources and consulting services. Vulnerability Assessments (VA) and Pentesting Regularly scheduled VAs and pentests help an organization identify weaknesses before the bad guys do. Managing the most comprehensive VDB puts us in a unique position to offer comprehensive assessments, combining the latest in scanning technology and our own data. Detailed and actionable reports are provided in a clear and easy to understand language. Security Development Lifecycle (SDL) Consulting, auditing, and verification specialized in breaking code, which in turn greatly increases the security of products. 2015 05 06 3 of 14

Vulnerable Program Details Details for the tested product and version: Vendor: 3S Pocketnet Tech Product: Speed Dome N4011 Network Camera Version: 1.04 Vendor: 3S Pocketnet Tech Product: 3S VMS (PC NVR) Version: 1.2 Component: MediaViewer ActiveX Control (MediaClientAxCtrl.dll / PocketNetMediaClientAxCtrl.dll) Version: 1.0.23.2, 1.1.2.0, and 1.2.4 NOTE: Other products and versions are very likely also affected. References RBS: RBS 2014 005 OSVDB / VulnDB: 1 2 3 4 5 6 115471, 115472, 115473, 115474, 115475, 115476 CVE: CVE 2014 9263 ZDI: ZDI 14 393, ZDI 14 394, ZDI 14 395, ZDI 14 396, ZDI 14 397 Credits Carsten Eiram, Risk Based Security Twitter: @CarstenEiram Twitter: @RiskBased 1 http://www.osvdb.org/show/osvdb/115471 2 http://www.osvdb.org/show/osvdb/115472 3 http://www.osvdb.org/show/osvdb/115473 4 http://www.osvdb.org/show/osvdb/115474 5 http://www.osvdb.org/show/osvdb/115475 6 http://www.osvdb.org/show/osvdb/115476 2015 05 06 4 of 14

Vulnerability Details IP cameras and other products in the 3S product line provide a web based interface for e.g. configuring device settings or viewing feeds. When accessed for the first time using Internet Explorer, an ActiveX control is installed on the client system. This bundled ActiveX control has been determined to be affected by multiple critical vulnerabilities, allowing attackers to compromise client systems when viewing a malicious web page. SetDisplayText() Method One of the methods supported by the ActiveX control is SetDisplayText(), which is defined as: VARIANT_BOOL SetDisplayText( [in] BSTR sztext, [in] long R, [in] long G, [in] long B); When the method is called, the handling function immediately calls another function with the supplied arguments. 2015 05 06 5 of 14

This function then copies the supplied string via the sztext argument into a 520 wide character buffer at offset 684h of an object stored on the heap. The copy operation uses wcscpy() without performing any bounds checks, leading to a heap based buffer overflow and control of the program flow. Multiple Methods sonvif_url Argument Three methods supported by the ActiveX control are GetONVIFDeviceInformation(), GetONVIFProfiles(), and GetONVIFStreamUri(), which are defined as: VARIANT_BOOL GetONVIFDeviceInformation([in] BSTR sonvif_url); VARIANT_BOOL GetONVIFProfiles([in] BSTR sonvif_url); VARIANT_BOOL GetONVIFStreamUri( [in] BSTR sonvif_url, [in] BSTR sprofiletoken); This analysis only covers the GetONVIFProfiles() method, but the other methods are similarly affected. 2015 05 06 6 of 14

When the function handling the method is called, it checks that the sonvif_url argument was supplied, and then converts it before passing the string as argument to another function. This function allocates memory for a 5640 byte structure on the heap and copies the argument into offset 8 using strcpy() without performing any bounds checks. This allows triggering a heap based buffer overflow and gaining control of the program flow. 2015 05 06 7 of 14

GetONVIFStreamUri() Method One of the methods supported by the ActiveX control is GetONVIFStreamUri(), which is defined as: VARIANT_BOOL GetONVIFStreamUri( [in] BSTR sonvif_url, [in] BSTR sprofiletoken); When the method is called, it starts out by converting the supplied arguments after which another function is called. 2015 05 06 8 of 14

This function creates a 5640 byte structure on the heap and proceeds to copy both arguments into it using strcpy() without performing any bounds checks. This leads to heap based buffer overflows and allows gaining control of the program flow. Please note that the problem with the first argument, sonvif_url, is already covered by the previous issue, so this issue only pertains to the copying of the sprofiletoken argument into offset 408h. SaveCurrentImage() Method One of the methods supported by the ActiveX control is SaveCurrentImage(), which is defined as: VARIANT_BOOL SaveCurrentImage( [in] long format, [in] BSTR filename); When the method is called, it checks that the filename argument was supplied and, if so, copies it into a 1040 wide character buffer on the stack. 2015 05 06 9 of 14

As the ' filename ' argument is copied straight into the buffer using wcscpy() without performing any bounds checks, this allows triggering a stack based buffer overflow and gaining control of the program flow. 2015 05 06 10 of 14

SaveCurrentImageEx() Method One of the methods supported by the ActiveX control is SaveCurrentImageEx(), which is defined as: VARIANT_BOOL SaveCurrentImageEx( [in] long format, [in] BSTR filename, [in] long sec, [in] long usec); When the method is called, it checks that the filename argument was supplied and, if so, copies it into a 260 wide character buffer on the stack.. 2015 05 06 11 of 14

As the ' filename ' argument is copied straight into the buffer using wcscpy() without performing any bounds checks, this allows triggering a stack based buffer overflow and gaining control of the program flow. StartRecord(), StartRecordEx(), and StartScheduledRecord() Methods Three methods supported by the ActiveX control are StartScheduledRecord(), StartRecord(), and StartRecordEx(), which are defined as: VARIANT_BOOL StartRecord([in] BSTR fn); VARIANT_BOOL StartRecordEx( [in] BSTR fn, [in] long sec, [in] long usec); VARIANT_BOOL StartScheduledRecord( [in] BSTR fn, [in] long weekdays, [in] long starthour, [in] long startmin, [in] long duration); This analysis is of the StartRecord() method, but the other functions are similarly affected. When the function handling the method is called, it immediately calls another function. 2015 05 06 12 of 14

This function in turn retrieves a virtual function pointer and jumps to it. The called function copies the supplied string argument straight into offset CB8h of an object on the heap using wcscpy() without performing any bounds checks. This allows triggering a heap based buffer overflow and gaining control of the program flow. 2015 05 06 13 of 14

Solution The vendor was not responsive and no fixes have been made available. Set the kill bit for the vulnerable ActiveX control. Timeline 2014/05/13 Vulnerabilities discovered. 2014/05/13 Vulnerabilities reported to Zero Day Initiative (ZDI) 2014/07/02 Case contracted with ZDI. 2014/08/13 ZDI contacts the vendor (1st attempt) 2014/09/04 ZDI contacts the vendor (2nd attempt) 2014/10/13 ZDI contacts the vendor (3rd attempt) 2014/11/05 ZDI contacts ICS CERT (1st attempt) 2014/11/21 ZDI contacts ICS CERT (2nd attempt) 2014/12/04 ZDI publishes advisories. OSVDB entries published and details made 7 available to VulnDB customers. 2015/05/06 Publication of this vulnerability report. 7 https://www.riskbasedsecurity.com/risk data analytics/vulnerability database/ 2015 05 06 14 of 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback