RBS­2015­001

EverFocus Electronics Corp EPlusOcx ActiveX Control Multiple Stack Buffer Overflows

2015­05­21 1 of 10

Table of Contents

Table of Contents 2 About Risk Based Security 3

Company History 3 Solutions 3

Vulnerable Program Details 4 References 4 Credits 4 Vulnerability Details 5

LiveStream() Method Handling Stack Buffer Overflow 5 SendHttpRequest() Method Handling Stack Buffer Overflow 6 OpenArchive() Function Stack Buffer Overflow 8

Solution 10 Timeline 10

2015­05­21 2 of 10

About Risk Based Security Risk Based Security offers clients fully integrated security solutions, combining real­time vulnerability and threat data, as well as the analytical resources to understand the implications of the data, resulting in not just security, but the right security.

Company History Risk Based Security, Inc. (RBS) was established in early 2011 to better support the many users and initiatives of the Open Security Foundation ­ including the OSVDB and DataLossDB projects. RBS was created to transform this wealth of security data into actionable information by enhancing the research available, and providing a first of its kind risk identification and evidence­based security management service. As a data driven and vendor neutral organization, RBS is able to deliver focused security solutions that are timely, cost effective, and built to address the specific threats and vulnerabilities most relevant to the organizations we serve. We not only maintain vulnerability and data breach databases, we also use this information to inform our entire practice.

Solutions VulnDB ­ Vulnerability intelligence, alerting, and third party library tracking based on the largest and most comprehensive vulnerability database. Available as feature­rich SaaS portal or powerful API Cyber Risk Analytics ­ Extensive data breach database including interactive dashboards and breach analytics. Clients are able to gather and analyze security threat and data breach information on businesses, industries, geographies, and causes of loss. YourCISO ­ Revolutionary service that provides organizations an affordable security solution including policies, vulnerability scans, awareness material, incident response, and access to high quality information security resources and consulting services. Vulnerability Assessments (VA) and Pentesting ­ Regularly scheduled VAs and pentests help an organization identify weaknesses before the bad guys do. Managing the most comprehensive VDB puts us in a unique position to offer comprehensive assessments, combining the latest in scanning technology and our own data. Detailed and actionable reports are provided in a clear and easy to understand language. Security Development Lifecycle (SDL) ­ Consulting, auditing, and verification specialized in breaking code, which in turn greatly increases the security of products.

2015­05­21 3 of 10

Vulnerable Program Details Details for tested products and versions: Vendor: EverFocus Electronics Corporation Product: ECOR264­8D2 Version: 1.0.13 Vendor: EverFocus Electronics Corporation Product: ECOR960­16X1 Version: 1.5.26 Component: EPlusOcx ActiveX Control (ePlusOcx.ocx) Version: 1.0.6.24 NOTE: It is suspected that many if not all DVRs in the EverFocus ECOR DVR product line bundle the vulnerable ActiveX control. Other models and versions are, therefore, likely affected.

References RBS: RBS­2015­001 OSVDB / VulnDB: 116600 , 116601 , and 116602 1 2 3

CVE: N/A

Credits Carsten Eiram, Risk Based Security Twitter: @CarstenEiram Twitter: @RiskBased

1 http://www.osvdb.org/show/osvdb/116600 2 http://www.osvdb.org/show/osvdb/116601 3 http://www.osvdb.org/show/osvdb/116602

2015­05­21 4 of 10

Vulnerability Details DVRs in the EverFocus ECOR product line provide a web­based interface for e.g. configuring device settings. When accessed for the first time using Internet Explorer, an ActiveX control, ePlusOcx.ocx, is installed on the client system. This bundled ActiveX control has been determined to be affected by three critical vulnerabilities, all allowing attackers to compromise the client system when viewing a malicious web page.

LiveStream() Method Handling Stack Buffer Overflow One of the methods supported by the ActiveX control is LiveStream(), which is defined as: long LiveStream( BSTR IP, long Port, BSTR SessionID, long Mask); When the method is called, a debug string is crafted based on the supplied arguments.

.text:10017A60 M_LiveStream proc near ; DATA XREF: .rdata:10185EC0 .text:10017A60 .text:10017A60 szOutputString = byte ptr ­208h ; char[260] .text:10017A60 szBuf = byte ptr ­104h ; char[256] .text:10017A60 var_4 = dword ptr ­4 .text:10017A60 pwzIP = dword ptr 4 .text:10017A60 lPort = dword ptr 8 .text:10017A60 pwzSessionID = dword ptr 0Ch .text:10017A60 lMask = dword ptr 10h .text:10017A60 .text:10017A60 sub esp, 208h .text:10017A66 mov eax, dword_101DCD64 .text:10017A6B xor eax, esp .text:10017A6D mov [esp+208h+var_4], eax .text:10017A74 push ebx .text:10017A75 mov ebx, [esp+20Ch+pwzIP] .text:10017A7C push ebp .text:10017A7D mov ebp, [esp+210h+pwzSessionID] .text:10017A84 push esi .text:10017A85 push edi .text:10017A86 push 103h ; size_t .text:10017A8B lea eax, [esp+21Ch+szOutputString+1] ; char[260] .text:10017A8F push 0 ; int .text:10017A91 push eax ; void * .text:10017A92 mov esi, ecx .text:10017A94 mov [esp+224h+szOutputString], 0 ; char[260]

2015­05­21 5 of 10

.text:10017A99 call _memset

.text:10017A9E mov ecx, [esp+224h+lMask]

.text:10017AA5 mov edx, [esp+224h+lPort]

.text:10017AAC push ecx

.text:10017AAD push ebp

.text:10017AAE push edx

.text:10017AAF push ebx

.text:10017AB0 lea eax, [esp+234h+szOutputString] ; char[260]

.text:10017AB4 push offset aLivestreamIpSP ; "LiveStream IP = %s Port = %d SessionID "... .text:10017AB9 push eax ; char * .text:10017ABA call _sprintf ; b0f! The string is written to a 260 byte stack buffer using sprintf() without performing any bounds checks. By providing sufficiently long arguments to the method, it is possible to trigger a stack­based buffer overflow and gain control of the program flow.

SendHttpRequest() Method Handling Stack Buffer Overflow The ActiveX control supports the SendHttpRequest() method, which takes eight arguments: long SendHttpRequest( long nVerb, BSTR szID, BSTR szIp, long nPort, BSTR szUsr, BSTR szPwd, BSTR szObject, BSTR szXmlCmd); When the method is called, a debug string is crafted based on the supplied arguments. .text:100254B0 M_SendHttpRequest proc near ; DATA XREF: .rdata:10186060 .text:100254B0 .text:100254B0 var_134 = dword ptr ­134h .text:100254B0 Src = dword ptr ­130h .text:100254B0 var_12C = dword ptr ­12Ch .text:100254B0 var_128 = dword ptr ­128h .text:100254B0 var_124 = dword ptr ­124h .text:100254B0 var_120 = dword ptr ­120h .text:100254B0 var_11C = byte ptr ­11Ch .text:100254B0 szOutputString = byte ptr ­110h ; char[256] .text:100254B0 var_10 = dword ptr ­10h .text:100254B0 var_C = dword ptr ­0Ch .text:100254B0 var_4 = dword ptr ­4

2015­05­21 6 of 10

.text:100254B0 lnVerb = dword ptr 4

.text:100254B0 pszID = dword ptr 8

.text:100254B0 pszIp = dword ptr 0Ch

.text:100254B0 lnPort = dword ptr 10h

.text:100254B0 pszUsr = dword ptr 14h

.text:100254B0 pszPwd = dword ptr 18h

.text:100254B0 pszObject = dword ptr 1Ch

.text:100254B0 pszXmlCmd = dword ptr 20h

.text:100254B0

.text:100254B0 push 0FFFFFFFFh

.text:100254B2 push offset loc_10179E54

.text:100254B7 mov eax, large fs:0

.text:100254BD push eax

.text:100254BE sub esp, 128h … … … .text:100254EB mov edx, [esp+148h+pszXmlCmd] .text:100254F2 mov ebp, [esp+148h+pszObject] .text:100254F9 mov ebx, [esp+148h+pszPwd] .text:10025500 mov edi, [esp+148h+pszUsr] .text:10025507 mov eax, [esp+148h+pszID] .text:1002550E push edx .text:1002550F push ebp .text:10025510 push ebx .text:10025511 push edi .text:10025512 mov [esp+158h+var_128], ecx .text:10025516 mov ecx, [esp+158h+pszIp] .text:1002551D push ecx .text:1002551E push eax .text:1002551F mov [esp+160h+var_120], eax .text:10025523 lea eax, [esp+160h+szOutputString] ; char[256] .text:10025527 push offset aSendhttpreques ; "SendHttpRequest: id=%s ip=%s usr=%s pwd"... .text:1002552C push eax ; char * .text:1002552D mov [esp+168h+Src], ecx .text:10025531 mov [esp+168h+var_124], ebp .text:10025535 mov [esp+168h+var_12C], edx .text:10025539 call _sprintf ; b0f! The string is written to a 256 byte stack buffer using sprintf() without performing any bounds checks. By providing sufficiently long arguments to the method, it is possible to trigger a stack­based buffer overflow and gain control of the program flow.

2015­05­21 7 of 10

OpenArchive() Function Stack Buffer Overflow The ActiveX control supports the five following methods used for handling archives: long ArchiveStream( BSTR IP, long Port, BSTR SessionID, unsigned long Mask, long StartTime, long EndTime, long MaxFileLenth);

long ArchiveStreamEx( BSTR IP, long Port, BSTR SessionID, unsigned long Mask, long StartTime, long EndTime, long MaxFileLenth, short SelectFile, BSTR FileName);

long ArchiveStreamExRV( BSTR IP, long Port, BSTR SessionID, unsigned long Mask, long StartTime, long EndTime, long VideoType, long MaxFileLength, short SelcetFile, BSTR FileName);

long ArchiveStreamExNRV( BSTR IP, long Port, BSTR SessionID, unsigned long Mask, long StartTime, long EndTime, long ArchiveType, long VideoType, long MaxFileLength, short SelectFile, BSTR FileName);

long ArchiveStreamExPlus( BSTR IP, long Port, BSTR SessionID, double Mask, long StartTime, long EndTime, long FileSize, short SelectFile, BSTR FileName);

2015­05­21 8 of 10

When called, each method may eventually end up calling the OpenArchive() function within ePlusOcx.ocx to retrieve an archive from a device at a specified IP.

The OpenArchive() function starts out by creating a debug string (“OpenArchive ip=%s max=%d\n”) using the ‘IP’ string argument supplied to each of the five methods. .text:10034B90 OpenArchive proc near ; CODE XREF: M_ArchiveStream+67p .text:10034B90 ; M_ArchiveStreamEx+6Bp ... .text:10034B90 add ecx, 0F2A8h .text:10034B96 jmp loc_10012E50 .text:10012E50 loc_10012E50: ; CODE XREF: OpenArchive+6j .text:10012E50 push 0FFFFFFFFh .text:10012E52 push offset loc_1017889D .text:10012E57 mov eax, large fs:0 .text:10012E5D push eax .text:10012E5E sub esp, 414h … … .text:10012E8B mov edi, [esp+434h+arg_0] .text:10012E92 mov eax, [esp+434h+arg_8] .text:10012E99 mov esi, [esp+434h+Src] .text:10012EA0 mov ebp, ecx .text:10012EA2 mov ecx, [esp+434h+arg_18] .text:10012EA9 push ecx .text:10012EAA push edi .text:10012EAB lea edx, [esp+43Ch+szOutputString] ; char[256] .text:10012EB2 push offset aOpenarchiveIpS ; "OpenArchive ip=%s max=%d\n" .text:10012EB7 push edx ; char * .text:10012EB8 mov [esp+444h+var_414], edi .text:10012EBC mov [esp+444h+var_408], eax .text:10012EC0 call _sprintf ; b0f! The string is written to a 256 byte stack buffer using sprintf() without performing any bounds checks. By providing sufficiently long ‘IP’ argument to one of the five methods, it is possible to trigger a stack­based buffer overflow and gain control of the program flow.

2015­05­21 9 of 10

Solution The vendor was not responsive, and we are not aware of any available fix for these vulnerabilities.

Timeline 2014/10/23 Vulnerabilities discovered. 2014/12/08 Emailed vendor to obtain details for security contact. 2015/01/01 OSVDB entry published and details made available on VulnDB . 4

2015/05/21 Publication of this vulnerability report.

4 https://www.riskbasedsecurity.com/risk­data­analytics/vulnerability­database/

2015­05­21 10 of 10