Embed Size (px)
Citation preview
RBS2015002
EverFocus Electronics Corp EverNet3 ActiveX Control Multiple Vulnerabilities
20150731 1 of 28
Table of Contents
Table of Contents 2 About Risk Based Security 3
Company History 3 Solutions 3
Vulnerable Program Details 4 References 4 Credits 4 Vulnerability Details 5
DestroyOcx() Method Uninitialized Value Use 5 MoveWindow() Method Uninitialized Value Use 7 ProbeDevice() Method Stack Buffer Overflow 8 ReadUnicodeText() Method Stack Buffer Overflow 10 SendHttpRequest() Method Buffer Overflows 11 SendHttpRequest2() Method Heap Buffer Overflow 13 SendHttpRequestEx() Method Buffer Overflows 14 SetRegedit() Method Stack Buffer Overflows 16 SetROIEraser() Method Arbitrary Code Execution 17 SetUnicodeFontInfo() Method Stack Buffer Overflow 20 String Encoding Routine Heap Buffer Overflow 21 RemoveMultiClient() Method Arbitrary Code Execution 24 CreateObjectSizeGrids() Method Stack Buffer Overflow 25
Solution 28 Timeline 28
20150731 2 of 28
About Risk Based Security Risk Based Security offers clients fully integrated security solutions, combining realtime vulnerability and threat data, as well as the analytical resources to understand the implications of the data, resulting in not just security, but the right security.
Company History
Risk Based Security, Inc. (RBS) was established in early 2011 to better support the many users and initiatives of the Open Security Foundation including the OSVDB and DataLossDB projects. RBS was created to transform this wealth of security data into actionable information by enhancing the research available, and providing a first of its kind risk identification and evidencebased security management service. As a data driven and vendor neutral organization, RBS is able to deliver focused security solutions that are timely, cost effective, and built to address the specific threats and vulnerabilities most relevant to the organizations we serve. We not only maintain vulnerability and data breach databases, we also use this information to inform our entire practice.
Solutions
VulnDB Vulnerability intelligence, alerting, and third party library tracking based on the largest and most comprehensive vulnerability database. Available as featurerich SaaS portal or powerful API Cyber Risk Analytics Extensive data breach database including interactive dashboards and breach analytics. Clients are able to gather and analyze security threat and data breach information on businesses, industries, geographies, and causes of loss. YourCISO Revolutionary service that provides organizations an affordable security solution including policies, vulnerability scans, awareness material, incident response, and access to high quality information security resources and consulting services. Vulnerability Assessments (VA) and Pentesting Regularly scheduled VAs and pentests help an organization identify weaknesses before the bad guys do. Managing the most comprehensive VDB puts us in a unique position to offer comprehensive assessments, combining the latest in scanning technology and our own data. Detailed and actionable reports are provided in a clear and easy to understand language. Security Development Lifecycle (SDL) Consulting, auditing, and verification specialized in breaking code, which in turn greatly increases the security of products.
20150731 3 of 28
Vulnerable Program Details Details for tested products and versions: Vendor: EverFocus Electronics Corporation Product: EZN3260 and EDN3340 Version: 1.2.3130815 Component: EverNet3 ActiveX Control (EverNet3.ocx) Version: 1.0.2.48 NOTE: It is suspected that all IP cameras in the EverFocus EZN and EDN product lines bundle the vulnerable ActiveX control and possibly any products in the NeVio series. Other models and versions than the ones listed above are likely affected.
References RBS: RBS2015002 1
OSVDB / VulnDB: 116603, 116604, 116605, 116606, 116607, 116608, 116609, 116610, 116611, 116612, 116613, 116614, 116615, 116616, 116617, 116618, 116619, and 116620
CVE: N/A
Credits Carsten Eiram, Risk Based Security Twitter: @CarstenEiram Twitter: @RiskBased
1 https://www.riskbasedsecurity.com/research/RBS2015002.pdf
20150731 4 of 28
Vulnerability Details IP cameras in the EverFocus EZN and EDN product lines provide a webbased interface for e.g. configuring device settings and streaming footage. When accessed for the first time using Internet Explorer, an ActiveX control, EverNet3.ocx, is installed on the client system. This bundled ActiveX control has been determined to be affected by a large number of critical vulnerabilities, all allowing attackers to compromise the client system when viewing a malicious web page.
DestroyOcx() Method Uninitialized Value Use
The ActiveX control supports the DestroyOcx() method, which accepts no arguments. When calling the method prior to properly initializing the ActiveX control, the this pointer references an only partially initialized CEverNet3Ctrl object. .text:1000B810 M_DestroyOcx proc near ; CODE XREF: CEverNet3Ctrl3::~CEverNet3Ctrl3(void)+4Fp .text:1000B810 ; DATA XREF: .rdata:1007A998o .text:1000B810 .text:1000B810 var_20 = dword ptr 20h .text:1000B810 var_1C = dword ptr 1Ch .text:1000B810 lpoCEverNet3Ctrl= dword ptr 18h .text:1000B810 var_14 = dword ptr 14h .text:1000B810 var_10 = dword ptr 10h .text:1000B810 lpoCUnk1 = dword ptr 0Ch .text:1000B810 lpoCUnk1_2 = dword ptr 8 .text:1000B810 var_4 = dword ptr 4 .text:1000B810 .text:1000B810 push ebp .text:1000B811 mov ebp, esp .text:1000B813 sub esp, 20h .text:1000B816 mov [ebp+lpoCEverNet3Ctrl], ecx Later in the function, some of these uninitialized values are used to make branching decisions. More importantly, an uninitialized value is eventually treated as an object pointer and dereferenced in a virtual function call. This allows gaining control of the execution flow.
20150731 5 of 28
Figure 1: DestroyOcx() uninitialized value use
MoveWindow() Method Uninitialized Value Use
The ActiveX control supports the MoveWindow() method, which accepts four arguments: void MoveWindow( long x, long y, long divX, long divY); When calling the method prior to proper initialization of the ActiveX control, the this pointer references an only partially initialized CEverNet3Ctrl object, which is eventually used when
20150731 6 of 28
calling another function. .text:100112F0 M_MoveWindow proc near ; DATA XREF: .rdata:1007A758o .text:100112F0 .text:100112F0 lpoCEverNet3Ctrl= dword ptr 1Ch .text:100112F0 var_18 = byte ptr 18h .text:100112F0 var_8 = dword ptr 8 .text:100112F0 var_4 = dword ptr 4 .text:100112F0 arg_0 = dword ptr 8 .text:100112F0 arg_4 = dword ptr 0Ch .text:100112F0 arg_8 = dword ptr 10h .text:100112F0 arg_C = dword ptr 14h .text:100112F0 .text:100112F0 push ebp .text:100112F1 mov ebp, esp .text:100112F3 sub esp, 1Ch .text:100112F6 mov [ebp+lpoCEverNet3Ctrl], ecx … .text:10011407 loc_10011407: ; CODE XREF: M_MoveWindow+F5j .text:10011407 ; M_MoveWindow+106j .text:10011407 mov ecx, [ebp+lpoCEverNet3Ctrl] .text:1001140A call sub_1000BF90 Within the called function some of the uninitialized values in memory may be used e.g. as an object pointer dereferenced in a virtual function call. This allows gaining control of the execution flow. .text:1000BF90 sub_1000BF90 proc near ; CODE XREF: CEverNet3Ctrl__OnSize+3Fp .text:1000BF90 ; M_MoveWindow+11Ap ... .text:1000BF90 .text:1000BF90 lpoCEverNet3Ctrl= dword ptr 8 .text:1000BF90 var_4 = dword ptr 4 .text:1000BF90 .text:1000BF90 push ebp .text:1000BF91 mov ebp, esp .text:1000BF93 sub esp, 8 .text:1000BF96 mov [ebp+lpoCEverNet3Ctrl], ecx … .text:1000C0BB mov ecx, [eax+edx*4+0B064h] ; uninit mem .text:1000C0C2 mov edx, [ebp+var_4] .text:1000C0C5 mov eax, [ebp+lpoCEverNet3Ctrl] .text:1000C0C8 mov edx, [eax+edx*4+0B064h] .text:1000C0CF mov eax, [ecx] .text:1000C0D1 push edx .text:1000C0D2 mov ecx, [eax+0B8h] .text:1000C0D8 call ecx
20150731 7 of 28
ProbeDevice() Method Stack Buffer Overflow
The ActiveX control supports the ProbeDevice() method, which accepts five arguments: long ProbeDevice( BSTR szID, BSTR szIp, BSTR szUsr, BSTR szPwd, BSTR szXmlCmd); Before using the “szXmlCmd” argument, it is passed to a conversion function as source string along with a destination pointer to a 32,772 byte stack buffer. .text:10019370 ; int __stdcall M_ProbeDevice(int, wchar_t *, wchar_t *, wchar_t *, wchar_t *) .text:10019370 M_ProbeDevice proc near ; DATA XREF: .rdata:1007AB58o .text:10019370 .text:10019370 pThis = dword ptr 8030h .text:10019370 var_802C = dword ptr 802Ch .text:10019370 ThreadId = dword ptr 8028h .text:10019370 var_8024 = byte ptr 8024h .text:10019370 var_801C = byte ptr 801Ch .text:10019370 var_8018 = byte ptr 8018h .text:10019370 szDstBuf = byte ptr 8014h ; char[32772] .text:10019370 var_10 = dword ptr 10h .text:10019370 var_C = dword ptr 0Ch .text:10019370 var_4 = dword ptr 4 .text:10019370 arg_0 = dword ptr 8 .text:10019370 arg_4 = dword ptr 0Ch .text:10019370 arg_8 = dword ptr 10h .text:10019370 arg_C = dword ptr 14h .text:10019370 pwzXmlCmd = dword ptr 18h … .text:1001945D mov eax, [ebp+pwzXmlCmd] .text:10019460 push eax ; pwzXmlStr .text:10019461 lea ecx, [ebp+szDstBuf] ; char[32772] .text:10019467 push ecx ; pszDstBuf .text:10019468 mov ecx, [ebp+pThis] .text:1001946E call ConvertXmlString ; b0f! The conversion function only accepts two arguments: Pointers to source and destination buffers. It calculates the length of the source buffer and uses this as a while loop counter. For each iteration a character is retrieved from the source buffer, converted if required, and written to the destination buffer.
20150731 8 of 28
Figure 2: Overview of conversion function
As the conversion function is not supplied the size of the destination buffer to perform bounds checks, it is the responsibility of the calling function to ensure that the destination buffer is properly sized prior to conversion. However, in this case no such checks are performed, leading to a stackbased buffer overflow. This allows gaining control of the execution flow.
20150731 9 of 28
ReadUnicodeText() Method Stack Buffer Overflow
The ActiveX control supports the ReadUnicodeText() method, which accepts a single argument: long ReadUnicodeText(BSTR strText); When the method is called, a debug string is created by copying the “strText” argument to a 30 wchar stack buffer using _swprintf(). .text:100245F0 M_ReadUnicodeText proc near ; DATA XREF: .rdata:1007B2D8o .text:100245F0 .text:100245F0 var_2E8 = dword ptr 2E8h .text:100245F0 var_2E4 = dword ptr 2E4h .text:100245F0 var_2E0 = dword ptr 2E0h .text:100245F0 var_2DC = dword ptr 2DCh .text:100245F0 var_2D8 = dword ptr 2D8h .text:100245F0 var_2D4 = dword ptr 2D4h .text:100245F0 var_2D0 = byte ptr 2D0h .text:100245F0 var_2C9 = byte ptr 2C9h .text:100245F0 var_2C8 = dword ptr 2C8h .text:100245F0 var_2C4 = byte ptr 2C4h .text:100245F0 var_2C0 = byte ptr 2C0h .text:100245F0 var_2BC = byte ptr 2BCh .text:100245F0 var_2B8 = dword ptr 2B8h .text:100245F0 MultiByteStr = byte ptr 2B4h .text:100245F0 OutputString = word ptr 254h .text:100245F0 var_54 = byte ptr 54h .text:100245F0 wzDest = word ptr 4Ch ; wchar[30] .text:100245F0 var_10 = dword ptr 10h .text:100245F0 var_C = dword ptr 0Ch .text:100245F0 var_4 = dword ptr 4 .text:100245F0 pwzStrText = dword ptr 8 … .text:10024645 mov eax, [ebp+pwzStrText] .text:10024648 push eax .text:10024649 push offset aS_0 ; "%s" .text:1002464E lea ecx, [ebp+wzDest] ; wchar[30] .text:10024651 push ecx ; Dest .text:10024652 call __swprintf ; b0f! As no bounds checks are performed, this allows triggering a stackbased buffer overflow and gaining control of the execution flow.
20150731 10 of 28
SendHttpRequest() Method Buffer Overflows
The ActiveX control supports the SendHttpRequest() method, which accepts five arguments: long SendHttpRequest( BSTR szID, BSTR szIp, BSTR szUsr, BSTR szPwd, BSTR szXmlCmd); Prior to being used, the “szXmlCmd” argument is passed as source string to the conversion function previously described in the “ProbeDevice() Method Stack Buffer Overflow” section along with a destination pointer to a heap buffer. As no bounds checks are performed prior to calling the function, a heapbased buffer overflow may occur. .text:100132D0 ; int __stdcall M_SendHttpRequest(int, wchar_t *, wchar_t *, wchar_t *, wchar_t *) .text:100132D0 M_SendHttpRequest proc near ; DATA XREF: .rdata:1007A958o .text:100132D0 ... .text:100132D0 wzDest = word ptr 22Ch ; wchar[256] .text:100132D0 var_2C = dword ptr 2Ch .text:100132D0 var_28 = dword ptr 28h .text:100132D0 var_24 = word ptr 24h .text:100132D0 var_20 = dword ptr 20h .text:100132D0 var_1C = byte ptr 1Ch .text:100132D0 var_10 = dword ptr 10h .text:100132D0 var_C = dword ptr 0Ch .text:100132D0 var_4 = dword ptr 4 .text:100132D0 arg_0 = dword ptr 8 .text:100132D0 arg_4 = dword ptr 0Ch .text:100132D0 arg_8 = dword ptr 10h .text:100132D0 arg_C = dword ptr 14h .text:100132D0 pwzXmlCmd = dword ptr 18h … .text:10013387 mov edx, [ebp+pwzXmlCmd] .text:1001338A push edx ; pwzXmlStr .text:1001338B mov eax, [ebp+var_10] .text:1001338E add eax, 10h .text:10013391 push eax ; pszDstBuf .text:10013392 mov ecx, [ebp+pThis] .text:10013398 call ConvertXmlString ; b0f!
20150731 11 of 28
If a buffer overflow is not triggered within the conversion function, the converted string is eventually passed to another function to craft an HTTP request to /cgibin/cgiStream on a specified IP camera. .text:1001341C loc_1001341C: ; CODE XREF: M_SendHttpRequest+E9j .text:1001341C mov ecx, [ebp+poXmlCmd] .text:1001341F push ecx .text:10013420 lea ecx, [ebp+var_1C] .text:10013423 call SendXmlCmdToCgiStream The called function creates the parameters as part of the request (“video=2&xml=%s”), passing the converted XML command as value to the “xml” parameter. As the string is written to a 16,388 byte stack buffer using sprintf() without performing any boundary checks, this may lead to a stackbased buffer overflow and gaining control of the execution flow. .text:10005230 SendXmlCmdToCgiStream proc near ; CODE XREF: M_SendHttpRequest+153p .text:10005230 ; CEverNet3Ctrl__vThreadProbe+107p ... .text:10005230 dwBufferLength = dword ptr 4090h .text:10005230 var_408C = dword ptr 408Ch .text:10005230 Buffer = dword ptr 4088h .text:10005230 dwIndex = dword ptr 4084h .text:10005230 dwNumberOfBytesRead= dword ptr 4080h .text:10005230 wzHeaders = word ptr 407Ch ; wchar[50] .text:10005230 var_4018 = byte ptr 4018h .text:10005230 szOptional = byte ptr 4014h ; char[16388] .text:10005230 var_10 = dword ptr 10h .text:10005230 var_C = dword ptr 0Ch .text:10005230 var_4 = dword ptr 4 .text:10005230 poXmlCmd = dword ptr 8 .text:10005230 .text:10005230 push ebp .text:10005231 mov ebp, esp .text:10005233 push 0FFFFFFFFh .text:10005235 push offset loc_100723CB .text:1000523A mov eax, large fs:0 ... .text:10005292 mov eax, [ebp+poXmlCmd] .text:10005295 add eax, 10h .text:10005298 push eax .text:10005299 push offset aVideo2XmlS ; "video=2&xml=%s" .text:1000529E lea ecx, [ebp+szOptional] ; char[16388] .text:100052A4 push ecx ; char * .text:100052A5 call _sprintf ; b0f!
20150731 12 of 28
SendHttpRequest2() Method Heap Buffer Overflow
The ActiveX control supports the SendHttpRequest2() method, which accepts eight arguments: long SendHttpRequest2( short method, BSTR szIp, BSTR szPort, BSTR szUsr, BSTR szPwd, BSTR szXmlCmd, BSTR szXmlUrl, BSTR szFileName); Prior to being used, the “szXmlCmd” argument is passed as source string to the conversion function previously described in the “ProbeDevice() Method Stack Buffer Overflow” section along with a destination pointer to a heap buffer. As no bounds checks are performed prior to calling the function, a heapbased buffer overflow may occur. .text:10019B80 ; int __stdcall M_SendHttpRequest2(int, wchar_t *pwzIp, wchar_t *pwzPort, LPCWSTR pwzUsr, LPCWSTR pwzPwd, wchar_t *pwzXmlCmd, wchar_t *pwzXmlUrl, wchar_t *pwzFileName) .text:10019B80 M_SendHttpRequest2 proc near ; CODE XREF: M_ReadUnicodeText+323p .text:10019B80 ; DATA XREF: .rdata:1007ABD8o ... .text:10019B80 var_4 = dword ptr 4 .text:10019B80 pwzIp = dword ptr 0Ch .text:10019B80 pwzPort = dword ptr 10h .text:10019B80 pwzUsr = dword ptr 14h .text:10019B80 pwzPwd = dword ptr 18h .text:10019B80 pwzXmlCmd = dword ptr 1Ch .text:10019B80 pwzXmlUrl = dword ptr 20h .text:10019B80 pwzFileName = dword ptr 24h … .text:10019D3A mov eax, [ebp+pwzXmlCmd] .text:10019D3D push eax ; pwzXmlStr .text:10019D3E mov ecx, [ebp+pThis] .text:10019D41 add ecx, 858h .text:10019D47 push ecx ; pszDstBuf .text:10019D48 mov ecx, [ebp+pThis] .text:10019D4B call ConvertXmlString ; b0f!
20150731 13 of 28
SendHttpRequestEx() Method Buffer Overflows
The ActiveX control supports the SendHttpRequestEx() method, which accepts 13 arguments: long SendHttpRequestEx( short sMethod, short sBehave, BSTR szID, BSTR szIp, BSTR szPort, short sEncode, BSTR szUsr, BSTR szPwd, BSTR szXmlHeader, BSTR szXmlCmd, BSTR szXmlUrl, BSTR szFileName1, BSTR szFileName2); When the method is called, a debug string (“SendHttpRequest: id=%s ip=%s usr=%s pwd=%s xml=%s”) is crafted based on five of the supplied arguments: "szID", "szIp", "szUsr", "szPwd", and "szXmlUrl". .text:10013580 ; int __stdcall M_SendHttpRequestEx(__int16 sMethod, __int16 sBehave, int pwzID, wchar_t *pwzIp, wchar_t *pwzPort, __int16 sEncode, LPCWSTR pwzUsr, LPCWSTR pwzPwd, wchar_t *pwzXmlHeader, wchar_t *pwzXmlCmd, wchar_t *pwzXmlUrl, wchar_t *pwzFileName1, wchar_t *pwzFileName2) .text:10013580 M_SendHttpRequestEx proc near ; DATA XREF: .rdata:1007B218o .text:10013580 ... .text:10013580 wzDest = word ptr 234h ; wchar[256] .text:10013580 var_34 = dword ptr 34h .text:10013580 var_30 = word ptr 30h .text:10013580 var_2C = dword ptr 2Ch .text:10013580 var_28 = byte ptr 28h .text:10013580 var_1C = dword ptr 1Ch .text:10013580 var_18 = byte ptr 18h .text:10013580 var_14 = dword ptr 14h .text:10013580 var_10 = byte ptr 10h .text:10013580 var_C = dword ptr 0Ch .text:10013580 var_4 = dword ptr 4 .text:10013580 sMethod = word ptr 8 .text:10013580 sBehave = word ptr 0Ch .text:10013580 pwzID = dword ptr 10h
20150731 14 of 28
.text:10013580 pwzIp = dword ptr 14h
.text:10013580 pwzPort = dword ptr 18h
.text:10013580 sEncode = word ptr 1Ch
.text:10013580 pwzUsr = dword ptr 20h
.text:10013580 pwzPwd = dword ptr 24h
.text:10013580 pwzXmlHeader = dword ptr 28h
.text:10013580 pwzXmlCmd = dword ptr 2Ch
.text:10013580 pwzXmlUrl = dword ptr 30h
.text:10013580 pwzFileName1 = dword ptr 34h
.text:10013580 pwzFileName2 = dword ptr 38h
.text:10013580
.text:10013580 push ebp
.text:10013581 mov ebp, esp
.text:10013583 push 0FFFFFFFFh
.text:10013585 push offset loc_10073177
.text:1001358A mov eax, large fs:0
...
.text:100135B1 mov eax, [ebp+pwzXmlCmd]
.text:100135B4 push eax
.text:100135B5 mov ecx, [ebp+pwzPwd]
.text:100135B8 push ecx
.text:100135B9 mov edx, [ebp+pwzUsr]
.text:100135BC push edx
.text:100135BD mov eax, [ebp+pwzIp]
.text:100135C0 push eax
.text:100135C1 mov ecx, [ebp+pwzID]
.text:100135C4 push ecx
.text:100135C5 push offset aSendhttpreques ; "SendHttpRequest: id=%s ip=%s usr=%s pwd"... .text:100135CA lea edx, [ebp+wzDest] ; wchar[256] .text:100135D0 push edx ; Dest .text:100135D1 call __swprintf ; b0f! As the string is written into a 256 wchar stack buffer using _swprintf() without performing any boundary checks, this leads to a stackbased buffer overflow and allows gaining control of the execution flow. If a buffer overflow is not triggered, the code eventually passes the “szXmlUrl” argument as source string to the conversion function previously described in the “ProbeDevice() Method Stack Buffer Overflow” section along with a destination pointer to a 8,192 byte heap buffer. As no bounds checks are performed prior to calling the function, a heapbased buffer overflow may occur. .text:10013664 mov edx, [ebp+pwzXmlUrl] .text:10013667 push edx ; pwzXmlStr .text:10013668 mov eax, [ebp+var_1C] .text:1001366B add eax, 4010h .text:10013670 push eax ; pszDstBuf .text:10013671 mov ecx, [ebp+pThis] .text:10013677 call ConvertXmlString ; b0f!
20150731 15 of 28
Similar vulnerable conversion occurs for the “szXmlHeader” and “szXmlCmd” arguments, also leading to heapbased buffer overflows. .text:100136A2 push eax ; pwzXmlStr .text:100136A3 mov ecx, [ebp+var_1C] .text:100136A6 add ecx, 2010h .text:100136AC push ecx ; pszDstBuf .text:100136AD mov ecx, [ebp+pThis] .text:100136B3 call ConvertXmlString ; b0f! .text:100136B8 mov edx, [ebp+pwzXmlCmd] .text:100136BB push edx ; pwzXmlStr .text:100136BC mov eax, [ebp+var_1C] .text:100136BF add eax, 10h .text:100136C2 push eax ; pszDstBuf .text:100136C3 mov ecx, [ebp+pThis] .text:100136C9 call ConvertXmlString ; b0f!
SetRegedit() Method Stack Buffer Overflows
The ActiveX control supports the SetRegedit() method, which accepts three arguments: short SetRegedit( BSTR szPath, BSTR szName, BSTR szValue); When called, the responsible function, CEverNet3Ctrl::SetRegedit(), creates the full path for the registry key to set (“Software\Ext\Nevio\%s”) based on the supplied “szPath” argument. .text:10018AE0 ; int __stdcall M_SetRegedit(int pwzPath, LPCWSTR pwzValueName, wchar_t *pwzValue) .text:10018AE0 M_SetRegedit proc near ; DATA XREF: .rdata:1007AAB8o .text:10018AE0 .text:10018AE0 var_218 = dword ptr 218h .text:10018AE0 dwDisposition = dword ptr 214h .text:10018AE0 wzDest = word ptr 210h ; wchar[258] .text:10018AE0 var_C = dword ptr 0Ch .text:10018AE0 var_8 = dword ptr 8 .text:10018AE0 phkResult = dword ptr 4 .text:10018AE0 pwzPath = dword ptr 8 .text:10018AE0 pwzValueName = dword ptr 0Ch .text:10018AE0 pwzValue = dword ptr 10h .text:10018AE0 .text:10018AE0 push ebp .text:10018AE1 mov ebp, esp .text:10018AE3 sub esp, 218h
20150731 16 of 28
.text:10018AE9 mov eax, dword_10098C00
.text:10018AEE xor eax, ebp
.text:10018AF0 mov [ebp+var_C], eax
.text:10018AF3 mov [ebp+var_218], ecx
.text:10018AF9 mov [ebp+phkResult], 0
.text:10018B00 push offset aCevernet3ctr_4 ; "CEverNet3Ctrl::SetRegedit\n"
.text:10018B05 call ds:OutputDebugStringW
.text:10018B0B mov eax, [ebp+pwzPath]
.text:10018B0E push eax
.text:10018B0F push offset aSoftwareExtN_0 ; "Software\\Ext\\Nevio\\%s"
.text:10018B14 lea ecx, [ebp+wzDest] ; wchar[258]
.text:10018B1A push ecx ; Dest
.text:10018B1B call __swprintf ; b0f! As the path is written into a 258 wchar buffer using _swprintf() without performing any boundary checks, this allows triggering a stackbased buffer overflow and gaining control of the execution flow. Later in the function a similar problem exists for the “szValue” argument when copied into a 258 wchar stack buffer. .text:10018B80 loc_10018B80: ; CODE XREF: M_SetRegedit+74j .text:10018B80 mov edx, [ebp+pwzValue] .text:10018B83 push edx .text:10018B84 push offset aS_0 ; "%s" .text:10018B89 lea eax, [ebp+wzDest] ; wchar[258] .text:10018B8F push eax ; Dest .text:10018B90 call __swprintf ; b0f!
SetROIEraser() Method Arbitrary Code Execution
The ActiveX control supports the SetROIEraser() method, which accepts two arguments: void SetROIEraser( short sCh, short sSeq); When calling the method prior to properly initializing the ActiveX control, the this pointer references an only partially initialized CEverNet3Ctrl object. This results in uninitialized memory being used in various locations within the function depending on the value of the “sSeq” argument.
20150731 17 of 28
.text:10023020 M_SetROIEraser proc near ; CODE XREF: M_CreateROIMasks+A6p .text:10023020 ; DATA XREF: .rdata:1007B1B8o .text:10023020 .text:10023020 lpoCEverNet3Ctrl= dword ptr 20h .text:10023020 var_1C = word ptr 1Ch .text:10023020 var_18 = dword ptr 18h .text:10023020 var_14 = word ptr 14h .text:10023020 var_10 = dword ptr 10h .text:10023020 var_C = dword ptr 0Ch .text:10023020 var_8 = dword ptr 8 .text:10023020 lpoCUnk1 = dword ptr 4 .text:10023020 sCh = word ptr 8 .text:10023020 sSeq = word ptr 0Ch .text:10023020 .text:10023020 push ebp .text:10023021 mov ebp, esp .text:10023023 sub esp, 20h .text:10023026 mov [ebp+lpoCEverNet3Ctrl], ecx … .text:1002308D loc_1002308D: ; CODE XREF: M_SetROIEraser+53j .text:1002308D movsx eax, [ebp+sSeq] .text:10023091 cmp eax, 63h .text:10023094 jnz loc_1002316C ; sSeq != 99? In cases where “sSeq” is not 99, the code branches to the following location where uninitialized memory is used as an object pointer when calling a virtual function. .text:1002316C .text:1002316C loc_1002316C: ; CODE XREF: M_SetROIEraser+74j .text:1002316C movsx edx, [ebp+sSeq] .text:10023170 shl edx, 2 .text:10023173 mov [ebp+var_1C], dx .text:10023177 push offset Data .text:1002317C push 0 .text:1002317E push 0 .text:10023180 push 0 .text:10023182 push 0 .text:10023184 push 0 .text:10023186 push 0 .text:10023188 push 0 .text:1002318A push 0 .text:1002318C movsx eax, [ebp+sSeq] .text:10023190 add eax, 0CDh .text:10023195 push eax .text:10023196 mov ecx, [ebp+lpoCUnk1] .text:10023199 mov edx, [ecx] ; read from unit mem .text:1002319B mov eax, [ebp+lpoCUnk1] .text:1002319E push eax .text:1002319F mov ecx, [edx+0F8h] .text:100231A5 call ecx
20150731 18 of 28
If “sSeq” is 99, the code branches to the following location where a similar thing happens. .text:100230EC mov ecx, [ebp+lpoCUnk1] .text:100230EF mov edx, [ecx] ; read from uninit mem .text:100230F1 mov eax, [ebp+lpoCUnk1] .text:100230F4 push eax .text:100230F5 mov ecx, [edx+0F8h] .text:100230FB call ecx Both of these cases allows gaining control of the execution flow. Another problem exists in the function when handling the “sCh” argument, since it’s signextended and used as index into an array without performing any bounds checks. This eventually leads to the referenced memory being treated as an object pointer and stored in a local variable. .text:10023020 M_SetROIEraser proc near ; CODE XREF: M_CreateROIMasks+A6p .text:10023020 ; DATA XREF: .rdata:1007B1B8o .text:10023020 .text:10023020 lpoCEverNet3Ctrl= dword ptr 20h .text:10023020 var_1C = word ptr 1Ch .text:10023020 var_18 = dword ptr 18h .text:10023020 var_14 = word ptr 14h .text:10023020 var_10 = dword ptr 10h .text:10023020 var_C = dword ptr 0Ch .text:10023020 var_8 = dword ptr 8 .text:10023020 lpoCUnk1 = dword ptr 4 .text:10023020 sCh = word ptr 8 .text:10023020 sSeq = word ptr 0Ch .text:10023020 .text:10023020 push ebp .text:10023021 mov ebp, esp .text:10023023 sub esp, 20h .text:10023026 mov [ebp+lpoCEverNet3Ctrl], ecx … .text:10023035 movsx ecx, [ebp+sCh] .text:10023039 mov edx, [ebp+lpoCEverNet3Ctrl] .text:1002303C cmp dword ptr [edx+ecx*4+0B074h], 0 .text:10023044 jnz short loc_1002304B ; value != 0? .text:1002304B .text:1002304B loc_1002304B: ; CODE XREF: M_SetROIEraser+24j .text:1002304B movsx eax, [ebp+sCh] .text:1002304F mov ecx, [ebp+lpoCEverNet3Ctrl] .text:10023052 mov edx, [ecx+eax*4+0B064h] ; use as index into array .text:10023059 mov [ebp+lpoCUnk1], edx ; store as object pointer
20150731 19 of 28
Depending on the value of the “sSeq” argument, as mentioned in the previous section, one of two code locations may eventually dereference the value when calling a virtual function. .text:10023196 mov ecx, [ebp+lpoCUnk1] .text:10023199 mov edx, [ecx] .text:1002319B mov eax, [ebp+lpoCUnk1] .text:1002319E push eax .text:1002319F mov ecx, [edx+0F8h] .text:100231A5 call ecx And… .text:100230EC mov ecx, [ebp+lpoCUnk1] .text:100230EF mov edx, [ecx] .text:100230F1 mov eax, [ebp+lpoCUnk1] .text:100230F4 push eax .text:100230F5 mov ecx, [edx+0F8h] .text:100230FB call ecx This allows gaining control of the execution flow.
SetUnicodeFontInfo() Method Stack Buffer Overflow
The ActiveX control supports the SetUnicodeFontInfo() method, which accepts four arguments: long SetUnicodeFontInfo( short sFontH, short sIsShift, long lFontWeight, BSTR strFontType); When the method is called, the “strFontType” argument is copied into a 30 wchar stack buffer using _swprintf() without performing any boundary checks. .text:10024500 M_SetUnicodeFontInfo proc near ; DATA XREF: .rdata:1007B2F8o .text:10024500 .text:10024500 wzDest = word ptr 50h ; wchar[30] .text:10024500 var_14 = dword ptr 14h .text:10024500 var_10 = word ptr 10h .text:10024500 var_C = dword ptr 0Ch .text:10024500 var_4 = dword ptr 4 .text:10024500 sFontH = word ptr 8 .text:10024500 sIsShift = word ptr 0Ch .text:10024500 lFontWeight = dword ptr 10h .text:10024500 pstrFontType = dword ptr 14h
20150731 20 of 28
.text:10024500
.text:10024500 push ebp
.text:10024501 mov ebp, esp
.text:10024503 push 0FFFFFFFFh
.text:10024505 push offset loc_10073FA8
.text:1002450A mov eax, large fs:0 … .text:1002457F mov edx, [ebp+pstrFontType] .text:10024582 push edx .text:10024583 push offset aS_0 ; "%s" .text:10024588 lea eax, [ebp+wzDest] ; wchar[30] .text:1002458B push eax ; Dest .text:1002458C call __swprintf ; b0f! This leads to a stackbased buffer overflow and allows gaining control of the execution flow.
String Encoding Routine Heap Buffer Overflow
The ActiveX control supports the SimpleEncDecStr() method, which accepts two arguments: BSTR SimpleEncDecStr( short method, BSTR strName); When the SimpleEncDecStr() method is called, the string supplied via the “strName” argument is converted using WideCharToMultiByte() into a 128 byte destination buffer. .text:1001A800 ; int __stdcall M_SimpleEncDecStr(__int16 sMethod, LPCWSTR pwzStrName) .text:1001A800 M_SimpleEncDecStr proc near ; CODE XREF: M_Play+752p .text:1001A800 ; M_Play+783p ... ... .text:1001A800 pUnk1 = dword ptr 98h .text:1001A800 szMultiByteStr = byte ptr 94h ; char[128] .text:1001A800 var_14 = dword ptr 14h .text:1001A800 lpoCStringData = byte ptr 10h .text:1001A800 var_C = dword ptr 0Ch .text:1001A800 iUnkZero = dword ptr 4 .text:1001A800 sMethod = word ptr 8 .text:1001A800 pwzStrName = dword ptr 0Ch .text:1001A800 .text:1001A800 push ebp .text:1001A801 mov ebp, esp .text:1001A803 push 0FFFFFFFFh .text:1001A805 push offset loc_1007362E .text:1001A80A mov eax, large fs:0 ... .text:1001A831 push 80h ; size_t
20150731 21 of 28
.text:1001A836 push 0 ; int
.text:1001A838 lea eax, [ebp+szMultiByteStr] ; char[128]
.text:1001A83E push eax ; void *
.text:1001A83F call _memset
.text:1001A844 add esp, 0Ch
.text:1001A847 push 0 ; lpUsedDefaultChar
.text:1001A849 push 0 ; lpDefaultChar
.text:1001A84B push 80h ; cbMultiByte
.text:1001A850 lea ecx, [ebp+szMultiByteStr] ; char[128]
.text:1001A856 push ecx ; lpMultiByteStr
.text:1001A857 push 0FFFFFFFFh ; cchWideChar
.text:1001A859 mov edx, [ebp+pwzStrName]
.text:1001A85C push edx ; lpWideCharStr
.text:1001A85D push 0 ; dwFlags
.text:1001A85F push 0 ; CodePage
.text:1001A861 call ds:WideCharToMultiByte Checks then confirm that the value passed via the “method” argument is either 0 or 1. This defines whether the function should decode (0) or encode (1) the supplied string. In case the value is 1, the function calls SimpleEecStr() to encode the string. .text:1001A876 movsx eax, [ebp+sMethod] .text:1001A87A test eax, eax .text:1001A87C jnz short loc_1001A8CA ; method != 0? .text:1001A8CA loc_1001A8CA: ; CODE XREF: M_SimpleEncDecStr+7Cj .text:1001A8CA movsx edx, [ebp+sMethod] .text:1001A8CE cmp edx, 1 .text:1001A8D1 jnz short @exit ; method != 1? .text:1001A8D3 lea eax, [ebp+szMultiByteStr] ; char[128] .text:1001A8D9 push eax ; pszString .text:1001A8DA lea ecx, [ebp+var_9C] .text:1001A8E0 push ecx ; pUnk1 .text:1001A8E1 call SimpleEecStr Inside SimpleEecStr() the length of the string is calculated using strlen(). Memory is then allocated based on the length * 4 + 2. This is to ensure sufficient room for each byte being encoded into 4 bytes along with the NULL terminator. .text:10010410 ; int __cdecl SimpleEecStr(int pUnk1, char *pszString) .text:10010410 SimpleEecStr proc near ; CODE XREF: M_SimpleEncDecStr+E1p .text:10010410 .text:10010410 var_48 = dword ptr 48h .text:10010410 iCount = dword ptr 44h .text:10010410 wzDest = word ptr 40h ; wchar[16] .text:10010410 var_20 = dword ptr 20h .text:10010410 lpOutputString = dword ptr 1Ch .text:10010410 uiStringLength = dword ptr 18h .text:10010410 uiStringLengthx2= dword ptr 14h .text:10010410 var_10 = byte ptr 10h .text:10010410 var_C = dword ptr 0Ch .text:10010410 var_4 = dword ptr 4 .text:10010410 pUnk1 = dword ptr 8 .text:10010410 pszString = dword ptr 0Ch
20150731 22 of 28
.text:10010410
.text:10010410 push ebp
.text:10010411 mov ebp, esp
.text:10010413 push 0FFFFFFFFh
.text:10010415 push offset loc_10072E78
.text:1001041A mov eax, large fs:0
...
.text:10010453 mov eax, [ebp+pszString]
.text:10010456 push eax ; char *
.text:10010457 call _strlen ; doesn't account for missing NULL termination .text:1001045C add esp, 4 .text:1001045F mov [ebp+uiStringLength], eax .text:10010462 mov ecx, [ebp+uiStringLength] .text:10010465 shl ecx, 1 .text:10010467 mov [ebp+uiStringLengthx2], ecx .text:1001046A mov edx, [ebp+uiStringLengthx2] .text:1001046D lea eax, [edx+edx+2] .text:10010471 push eax ; size_t .text:10010472 call _malloc ; allocation assumes 1 byte = 4 bytes encoded + NULL terminator .text:10010477 add esp, 4 .text:1001047A mov [ebp+lpOutputString], eax The encoding routine is then entered. The string is encoded one byte at a time and the result appended to the previously allocated output buffer. The first step of the encoding process changes the value of the current byte based on its position in the string. This resulting byte value is then signextended and passed to swprintf() using the "%.2X" format specifier before being written to the output buffer using wcscat().
20150731 23 of 28
Figure 3: Encoding loop
The developer seemingly expected the precision specifier to limit the output to two widecharacters, but precision used with the 'X' specifier specifies the minimum number of digits. As the encoded byte value is signextended, the result of calling swprintf() with the "%.2X" format specifier may be a 16 byte string. As the heapbased buffer was allocated on the assumption that a byte is encoded to 4 bytes, a heapbased buffer overflow can be triggered.
RemoveMultiClient() Method Arbitrary Code Execution
The ActiveX control supports the RemoveMultiClient() method, which accepts a single argument: void RemoveMultiClient(short sChannel); Two problems exist in the CEverNet2Ctrl::RemoveMultiClient() function handling calls to this method. Firstly, the supplied “sChannel” argument is signextended and used as an index into an array in the CEverNet2Ctrl object to retrieve an object pointer without performing any bounds checks. Secondly, when calling the method without properly initializing the control, the mentioned array contains uninitialized values that are treated as object pointers and dereferenced when performing a virtual function call. .text:1001D760 M_RemoveMultiClient proc near ; CODE XREF: M_AddMultiClient+9Bp .text:1001D760 ; M_AddMultiClient+29Dp ... .text:1001D760 .text:1001D760 lpThis = dword ptr 4 .text:1001D760 sChannel = word ptr 8 .text:1001D760 .text:1001D760 push ebp .text:1001D761 mov ebp, esp .text:1001D763 push ecx .text:1001D764 mov [ebp+lpThis], ecx .text:1001D767 movsx eax, [ebp+sChannel] .text:1001D76B mov ecx, [ebp+lpThis] .text:1001D76E mov edx, [ecx+eax*4+0B064h] ; uninit mem / OOB read .text:1001D775 movsx eax, [ebp+sChannel] .text:1001D779 mov ecx, [ebp+lpThis] .text:1001D77C mov eax, [ecx+eax*4+0B064h] .text:1001D783 mov ecx, [edx] .text:1001D785 push eax .text:1001D786 mov edx, [ecx+0A0h] .text:1001D78C call edx Both cases allow gaining control of the execution flow.
20150731 24 of 28
These issues are also triggerable via the CEverNet2Ctrl::AddFilledClient() function handling calls to the AddFilledClient() method as well as the CEverNet2Ctrl::AddMultiClient() function handling calls to the AddMultiClient() method. In both cases, the methods also accept a “sChannel” argument eventually passed to the CEverNet2Ctrl::RemoveMultiClient() function. short AddFilledClient( short sChannel, BSTR szSource, BSTR szEncUsr, BSTR szEncPwd); short AddMultiClient( short sChannel, BSTR szSource, BSTR szEncUsr, BSTR szEncPwd);
CreateObjectSizeGrids() Method Stack Buffer Overflow
The ActiveX control supports the CreateObjectSizeGrids() method, which accepts five arguments: short CreateObjectSizeGrids( short sCh, short sEnable, short sWNum, short sHNum, BSTR lpSelGrid); When the method is called, a debug string is crafted based on the supplied arguments. .text:100238C0 ; int __stdcall M_CreateObjectSizeGrids(__int16, __int16, __int16, __int16, wchar_t *) .text:100238C0 M_CreateObjectSizeGrids proc near ; DATA XREF: .rdata:1007B298o .text:100238C0 .text:100238C0 wzDest = word ptr 21Ch ; wchar[258] .text:100238C0 var_18 = dword ptr 18h .text:100238C0 var_14 = byte ptr 14h .text:100238C0 var_C = dword ptr 0Ch
20150731 25 of 28
.text:100238C0 var_4 = dword ptr 4
.text:100238C0 arg_0 = word ptr 8
.text:100238C0 arg_4 = word ptr 0Ch
.text:100238C0 arg_8 = word ptr 10h
.text:100238C0 arg_C = word ptr 14h
.text:100238C0 arg_10 = dword ptr 18h
.text:100238C0
.text:100238C0 push ebp
.text:100238C1 mov ebp, esp
...
.text:1002390B mov eax, [ebp+arg_10]
.text:1002390E push eax
.text:1002390F movsx ecx, [ebp+arg_C]
.text:10023913 push ecx
.text:10023914 movsx edx, [ebp+arg_8]
.text:10023918 push edx
.text:10023919 movsx eax, [ebp+arg_4]
.text:1002391D push eax
.text:1002391E movsx ecx, [ebp+arg_0]
.text:10023922 push ecx
.text:10023923 push offset aDDDDS ; "%d, %d, %d, %d, %s \n"
.text:10023928 lea edx, [ebp+wzDest] ; wchar[258]
.text:1002392E push edx ; Dest
.text:1002392F call __swprintf ; b0f! As the string is written into a 258 wchar stack buffer using _swprintf() without performing any boundary checks, it’s possible to trigger a stackbased buffer overflow and gain control of the execution flow. CreateAreaLine() Method Uninitialized Value Use Arbitrary Code Execution The ActiveX control supports the CreateAreaLine() method, which accepts six arguments: short CreateAreaLine( short sCh, short sEnable, short sColor, short sPenBold, short sWNum, short sHNum); When calling the method prior to properly initializing the ActiveX control, the this pointer references an only partially initialized CEverNet3Ctrl object. Eventually, the code checks the value of the supplied “sCh” argument. .text:1001F620 M_CreateAreaLine proc near ; DATA XREF: .rdata:1007B098o .text:1001F620 .text:1001F620 lpThis = dword ptr 8
20150731 26 of 28
.text:1001F620 iCount = dword ptr 4
.text:1001F620 sCh = word ptr 8
.text:1001F620 sEnable = word ptr 0Ch
.text:1001F620 sColor = word ptr 10h
.text:1001F620 sPenBold = word ptr 14h
.text:1001F620 sWNum = word ptr 18h
.text:1001F620 sHNum = word ptr 1Ch
.text:1001F620
.text:1001F620 push ebp
.text:1001F621 mov ebp, esp
.text:1001F623 sub esp, 8
.text:1001F626 mov [ebp+lpThis], ecx
...
.text:1001F655 movsx edx, [ebp+sCh]
.text:1001F659 cmp edx, 63h
.text:1001F65C jnz short loc_1001F6BF ; sCh != 99? If not set to 99, two additional checks ensure that the signextended result is neither negative nor 4 or greater. .text:1001F6BF loc_1001F6BF: ; CODE XREF: M_CreateAreaLine+3Cj .text:1001F6BF movsx eax, [ebp+sCh] .text:1001F6C3 test eax, eax .text:1001F6C5 jl short loc_1001F710 ; negative? .text:1001F6C7 movsx ecx, [ebp+sCh] .text:1001F6CB cmp ecx, 4 .text:1001F6CE jge short loc_1001F710 ; sCh >= 4? If passing the check, the “sCh” argument is used as index into an array inside the CEverNet3Ctrl object. However, the values in this array may be uninitialized, resulting in one of these being treated as an object pointer and dereferenced when calling a virtual function. This allows gaining control of the execution flow. .text:1001F6D0 mov dx, [ebp+sHNum] .text:1001F6D4 push edx .text:1001F6D5 mov ax, [ebp+sWNum] .text:1001F6D9 push eax .text:1001F6DA mov cx, [ebp+sPenBold] .text:1001F6DE push ecx .text:1001F6DF mov dx, [ebp+sColor] .text:1001F6E3 push edx .text:1001F6E4 mov ax, [ebp+sEnable] .text:1001F6E8 push eax .text:1001F6E9 movsx ecx, [ebp+sCh] .text:1001F6ED mov edx, [ebp+lpThis] .text:1001F6F0 mov eax, [edx+ecx*4+0B064h] ; uninit mem .text:1001F6F7 movsx ecx, [ebp+sCh] .text:1001F6FB mov edx, [ebp+lpThis] .text:1001F6FE mov ecx, [edx+ecx*4+0B064h] .text:1001F705 mov edx, [eax] .text:1001F707 push ecx .text:1001F708 mov eax, [edx+0F4h] .text:1001F70E call eax
20150731 27 of 28
If the “sCh” argument was set to 99, another similar dereference of an uninitialized value occurs. .text:1001F67D mov cx, [ebp+sHNum] .text:1001F681 push ecx .text:1001F682 mov dx, [ebp+sWNum] .text:1001F686 push edx .text:1001F687 mov ax, [ebp+sPenBold] .text:1001F68B push eax .text:1001F68C mov cx, [ebp+sColor] .text:1001F690 push ecx .text:1001F691 mov dx, [ebp+sEnable] .text:1001F695 push edx .text:1001F696 mov eax, [ebp+iCount] .text:1001F699 mov ecx, [ebp+lpThis] .text:1001F69C mov edx, [ecx+eax*4+0B064h] .text:1001F6A3 mov eax, [ebp+iCount] .text:1001F6A6 mov ecx, [ebp+lpThis] .text:1001F6A9 mov eax, [ecx+eax*4+0B064h] .text:1001F6B0 mov ecx, [edx] .text:1001F6B2 push eax .text:1001F6B3 mov edx, [ecx+0F4h] .text:1001F6B9 call edx
Solution The vendor was not responsive, and we are not aware of any available fix for these vulnerabilities.
Timeline 20141023 Vulnerabilities discovered. 20141208 Emailed vendor to obtain details for security contact. 20150101 OSVDB entries published and details made available on VulnDB . 2
20150731 Publication of this vulnerability report.
2 https://www.riskbasedsecurity.com/riskdataanalytics/vulnerabilitydatabase/
20150731 28 of 28
