SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Multimedia)  >   Cisco Video Surveillance Camera Vendors:   Cisco
Cisco WVC200 Wireless Internet Video Camera Buffer Overflow in PlayerPT ActiveX Control Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1027259
SecurityTracker URL:  http://securitytracker.com/id/1027259
CVE Reference:   CVE-2012-0284   (Links to External Site)
Date:  Jul 17 2012
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): WVC200 Camera; PlayerPT ActiveX Control 1.0.0.15
Description:   Two vulnerabilities were reported in the Cisco WVC200 Wireless Internet Video Camera. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a stack overflow in the SetSource() function of the PlayerPT ActiveX control ('PlayerPT.ocx') and execute arbitrary code on the target system. The code will run with the privileges of the target user.

The vulnerable control is included with the Cisco WVC200 Wireless-G PTZ Internet Video Camera.

The CLSID of the vulnerable control is: 9E065E4A-BD9D-4547-8F90-985DC62A5591

rgod reported one vulnerability. Carsten Eiram, Secunia Research, reported the other vulnerability.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.cisco.com/ (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents

Subject:  Secunia Research: Cisco Linksys PlayerPT ActiveX Control "SetSource()" Buffer Overflow

====================================================================== 

                     Secunia Research 17/07/2012

              - Cisco Linksys PlayerPT ActiveX Control -
                  - "SetSource()" Buffer Overflow -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

====================================================================== 
1) Affected Software 

* Cisco Linksys PlayerPT ActiveX Control 1.0.0.15

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Highly critical
Impact: System compromise
Where:  Remote

====================================================================== 
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in Cisco Linksys 
PlayerPT ActiveX Control, which can be exploited by malicious people 
to compromise a user's system.

Cisco Linksys PlayerPT ActiveX control is bundled with the Cisco 
WVC200 Wireless-G PTZ Internet Video Camera and is used by client 
systems to view footage via Internet Explorer. The ActiveX control is 
marked safe-for-scripting and one of the provided methods is: 
"SetSource()", which is used to set the source of the footage to view.
The method accepts five string arguments where the first ("sURL") is 
the URL to the footage.

When a web page instantiates the ActiveX control and invokes the 
"SetSource()" method, the function in PlayerPT.ocx responsible for 
handling this method is called. The function performs various checks 
on the supplied arguments including a check to determine if the 
"sFrameType" string (2nd argument) is set to "mpeg". If so, the 
function searches for and strips "img/video.asf" from the provided URL
in the "sURL" argument; if not, "img/mjpeg.cgi" is used.

The URL is stored to a CString object and URLs to various resources 
are crafted based on the base URL including an URL to the 
"img/query.cgi" resource. Later, this URL is copied into a 256 byte 
stack buffer via a call to sprintf() without performing any size 
checks. This can be exploited to cause a stack-based buffer overflow 
via an overly long, specially crafted URL.

Successful exploitation allows execution of arbitrary code.

====================================================================== 
4) Solution 

According to the vendor, the ActiveX control is bundled only with 
products considered EOL and, therefore, itself considered EOL. The 
vendor is currently working on getting the kill-bit set.

As a workaround, set the kill-bit for the following CLSID:
* {9E065E4A-BD9D-4547-8F90-985DC62A5591}

====================================================================== 
5) Time Table 

23/03/2012 - Vulnerability discovered while analysing public report of 
             similar vulnerability (SA48543#1).
23/03/2012 - Vendor notified.
02/04/2012 - Vendor response (WVC200 product bundling the ActiveX 
             control has become EOL).
03/04/2012 - Vendor informed that ActiveX control should have kill-bit 
             set if considered EOL and asked to confirm that no 
             currently supported products bundle it.
13/04/2012 - Status update requested.
15/04/2012 - Vendor response (currently checking which products bundle
             the ActiveX control and looking into setting kill-bit).
21/06/2012 - Status update requested.
13/07/2012 - Status update requested.
13/07/2012 - Vendor response (determined that no supported products 
             bundle the vulnerable ActiveX control and looking into 
             setting kill-bit).
17/07/2012 - Public disclosure.

====================================================================== 
6) Credits 

Discovered by Carsten Eiram, Secunia Research.

====================================================================== 
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2012-0284 for the vulnerability.

====================================================================== 
8) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

====================================================================== 
9) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2012-25/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC