CVE-2014-1201
published 2014-01-15CVE-2014-1201: Buffer overflow in the INetViewX ActiveX control in the Lorex Edge LH310 and Edge+ LH320 series with firmware 7-35-28-1B26E, Edge2 LH330 series with firmware…
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
29.46%
97.9th percentile
Buffer overflow in the INetViewX ActiveX control in the Lorex Edge LH310 and Edge+ LH320 series with firmware 7-35-28-1B26E, Edge2 LH330 series with firmware 11.17.38-33_1D97A, and Edge3 LH340 series with firmware 11.19.85_1FE3A allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the HTTP_PORT parameter.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lorex_technology | edge2_lh330_firmware | — | — |
| lorex_technology | edge3_lh340_firmware | — | — |
| lorex_technology | edge_+_lh320_firmware | — | — |
| lorex_technology | edge_lh310_firmware | — | — |
| lorextechnology | edge | — | — |
| lorextechnology | edge | — | — |
| lorextechnology | edge2 | — | — |
| lorextechnology | edge3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The buffer overflow is triggered via a long string (10000+ characters) in the HTTP_PORT parameter of the INetViewX ActiveX control, exploitable through Internet Explorer. ↗
- →EIP control is achieved at byte offsets 109–113 of the HTTP_PORT parameter string; monitor for ActiveX instantiation of INetViewX with anomalously long HTTP_PORT values. ↗
- →The vulnerable ActiveX control is delivered via INetViewProj1_02030330.cab; detect installation or loading of this CAB/ActiveX in browser environments. ↗
- →Crash manifests in iexplore.exe via INetViewProj1!Inetviewimpl1Finalize; monitor for iexplore.exe crashes referencing this module. ↗
- →Exploitability confirmed on Win XP SP3 IE6 and Win 7 x64 IE10; the !exploitable classification is EXPLOITABLE due to exception handler chain corruption. ↗
- →Lorex DVRs exposing the web interface can be identified on Shodan; network defenders should block or monitor external access to Lorex EDGE series DVR web ports. ↗
- ·Affected firmware versions are explicitly enumerated; only devices running these exact firmware builds are confirmed vulnerable. ↗
- ·Exploitation reliability varies by OS/browser: fully exploitable on XP SP3 IE6 and Win7 x64 IE10, but could not be triggered on XP SP3 IE8. ↗
- ·All 16 products in the Lorex EDGE series are reported as vulnerable, not just the specific models listed in the NVD entry. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/101903http://www.securityfocus.com/archive/1/530739/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/90223https://github.com/pedrib/PoC/blob/master/lorexActivex/lorex-report.txthttps://github.com/pedrib/PoC/blob/master/lorexActivex/lorex-testcase.htmlhttp://osvdb.org/101903http://www.securityfocus.com/archive/1/530739/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/90223https://github.com/pedrib/PoC/blob/master/lorexActivex/lorex-report.txthttps://github.com/pedrib/PoC/blob/master/lorexActivex/lorex-testcase.html
2014-01-15
Published