Samsung NET-i ware 1.37 - Multiple Vulnerabilities


Platform:

Windows

Published:

2012-04-22

#######################################################################

                             Luigi Auriemma

Application:  Samsung NET-i ware
              http://www.samsungsecurity.com/product/product_view.asp?idx=6447
              http://www.samsungsecurity.com/product/product_view.asp?idx=5828
Versions:     <= 1.37
Platforms:    Windows
Bugs:         A] Endless loop in remote services
              B] Code execution in ConnectDDNS ActiveX
              C] Stack overflow in BackupToAvi ActiveX
Exploitation: remote
Date:         21 Apr 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"Recording software for Samsung network cameras".


#######################################################################

=======
2) Bugs
=======


----------------------------------
A] Endless loop in remote services
----------------------------------

All the NET-i ware services are affected by an endless loop caused by
the wrong handling of negative 32bit size fields.


----------------------------------------
B] Code execution in ConnectDDNS ActiveX
----------------------------------------

Code execution vulnerability in the ConnectDDNS method used by the
following ActiveX components:
- EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3
- 17A7F731-C9EC-461C-B813-2F42A1BB58EB

  10022F80   8B02             MOV EAX,DWORD PTR DS:[EDX]
  10022F82   8B4D E8          MOV ECX,DWORD PTR SS:[EBP-18]
  10022F85   FF10             CALL DWORD PTR DS:[EAX]

The bug is not much reliable to replicate so I report it just for
reference.
No additional research performed.


----------------------------------------
C] Stack overflow in BackupToAvi ActiveX
----------------------------------------

Stack overflow in the BackupToAvi method used by the ActiveX components
3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A and
208650B1-3CA1-4406-926D-45F2DBB9C299.


#######################################################################

===========
3) The Code
===========


A]
http://aluigi.org/testz/udpsz.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/18765-1.zip

  NiwMasterService:
  udpsz -b 0x80 -T SERVER 4505 0x28

  NiwStorageService:
  udpsz -T -c "REM" 0 -C 80808080 0x10 SERVER 4508 0x14

B,C]
http://aluigi.org/poc/netiware_1b.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################