what you don't know can hurt you

Cisco Linksys PlayerPT Active-X SetSource() Buffer Overflow

Cisco Linksys PlayerPT Active-X SetSource() Buffer Overflow
Posted Jul 17, 2012
Authored by Carsten Eiram | Site secunia.com

Secunia Research has discovered a vulnerability in Cisco Linksys PlayerPT ActiveX Control, which can be exploited by malicious people to compromise a user's system. Successful exploitation allows execution of arbitrary code. Cisco Linksys PlayerPT ActiveX Control version 1.0.0.15 is affected. Other versions may also be affected.

tags | advisory, overflow, arbitrary, activex
systems | cisco
advisories | CVE-2012-0284
MD5 | 7f6a48e8406e1e958428ab0ef9b73cf2

Cisco Linksys PlayerPT Active-X SetSource() Buffer Overflow

Change Mirror Download
====================================================================== 

Secunia Research 17/07/2012

- Cisco Linksys PlayerPT ActiveX Control -
- "SetSource()" Buffer Overflow -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerability.........................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

* Cisco Linksys PlayerPT ActiveX Control 1.0.0.15

NOTE: Other versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: System compromise
Where: Remote

======================================================================
3) Description of Vulnerability

Secunia Research has discovered a vulnerability in Cisco Linksys
PlayerPT ActiveX Control, which can be exploited by malicious people
to compromise a user's system.

Cisco Linksys PlayerPT ActiveX control is bundled with the Cisco
WVC200 Wireless-G PTZ Internet Video Camera and is used by client
systems to view footage via Internet Explorer. The ActiveX control is
marked safe-for-scripting and one of the provided methods is:
"SetSource()", which is used to set the source of the footage to view.
The method accepts five string arguments where the first ("sURL") is
the URL to the footage.

When a web page instantiates the ActiveX control and invokes the
"SetSource()" method, the function in PlayerPT.ocx responsible for
handling this method is called. The function performs various checks
on the supplied arguments including a check to determine if the
"sFrameType" string (2nd argument) is set to "mpeg". If so, the
function searches for and strips "img/video.asf" from the provided URL
in the "sURL" argument; if not, "img/mjpeg.cgi" is used.

The URL is stored to a CString object and URLs to various resources
are crafted based on the base URL including an URL to the
"img/query.cgi" resource. Later, this URL is copied into a 256 byte
stack buffer via a call to sprintf() without performing any size
checks. This can be exploited to cause a stack-based buffer overflow
via an overly long, specially crafted URL.

Successful exploitation allows execution of arbitrary code.

======================================================================
4) Solution

According to the vendor, the ActiveX control is bundled only with
products considered EOL and, therefore, itself considered EOL. The
vendor is currently working on getting the kill-bit set.

As a workaround, set the kill-bit for the following CLSID:
* {9E065E4A-BD9D-4547-8F90-985DC62A5591}

======================================================================
5) Time Table

23/03/2012 - Vulnerability discovered while analysing public report of
similar vulnerability (SA48543#1).
23/03/2012 - Vendor notified.
02/04/2012 - Vendor response (WVC200 product bundling the ActiveX
control has become EOL).
03/04/2012 - Vendor informed that ActiveX control should have kill-bit
set if considered EOL and asked to confirm that no
currently supported products bundle it.
13/04/2012 - Status update requested.
15/04/2012 - Vendor response (currently checking which products bundle
the ActiveX control and looking into setting kill-bit).
21/06/2012 - Status update requested.
13/07/2012 - Status update requested.
13/07/2012 - Vendor response (determined that no supported products
bundle the vulnerable ActiveX control and looking into
setting kill-bit).
17/07/2012 - Public disclosure.

======================================================================
6) Credits

Discovered by Carsten Eiram, Secunia Research.

======================================================================
7) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2012-0284 for the vulnerability.

======================================================================
8) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2012-25/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close