#######################################################################
Luigi Auriemma
Application: Samsung NET-i ware
http://www.samsungsecurity.com/product/product_view.asp?idx=6447
http://www.samsungsecurity.com/product/product_view.asp?idx=5828
Versions: <= 1.37
Platforms: Windows
Bugs: A] Endless loop in remote services
B] Code execution in ConnectDDNS ActiveX
C] Stack overflow in BackupToAvi ActiveX
Exploitation: remote
Date: 21 Apr 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
"Recording software for Samsung network cameras".
#######################################################################
=======
2) Bugs
=======
----------------------------------
A] Endless loop in remote services
----------------------------------
All the NET-i ware services are affected by an endless loop caused by
the wrong handling of negative 32bit size fields.
----------------------------------------
B] Code execution in ConnectDDNS ActiveX
----------------------------------------
Code execution vulnerability in the ConnectDDNS method used by the
following ActiveX components:
- EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3
- 17A7F731-C9EC-461C-B813-2F42A1BB58EB
10022F80 8B02 MOV EAX,DWORD PTR DS:[EDX]
10022F82 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
10022F85 FF10 CALL DWORD PTR DS:[EAX]
The bug is not much reliable to replicate so I report it just for
reference.
No additional research performed.
----------------------------------------
C] Stack overflow in BackupToAvi ActiveX
----------------------------------------
Stack overflow in the BackupToAvi method used by the ActiveX components
3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A and
208650B1-3CA1-4406-926D-45F2DBB9C299.
#######################################################################
===========
3) The Code
===========
A]
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/18765-1.zip
NiwMasterService:
udpsz -b 0x80 -T SERVER 4505 0x28
NiwStorageService:
udpsz -T -c "REM" 0 -C 80808080 0x10 SERVER 4508 0x14
B,C]
http://aluigi.org/poc/netiware_1b.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################