Details of VAR-E-201204-0129

ID

VAR-E-201204-0129

CVE

cve_id:	CVE-2012-4329	Trust: 1.9
cve_id:	CVE-2012-4330	Trust: 1.3
cve_id:	CVE-2012-4334	Trust: 1.3
cve_id:	CVE-2012-4333	Trust: 1.3
cve_id:	CVE-2012-4335	Trust: 1.3

sources: BID: 53161 // BID: 53193 // EXPLOIT-DB: 18765 // EDBNET: 41078

EDB ID

18765

TITLE

Samsung NET-i ware 1.37 - Multiple Vulnerabilities - Windows dos Exploit

Trust: 0.6

sources: EXPLOIT-DB: 18765

DESCRIPTION

Samsung NET-i ware 1.37 - Multiple Vulnerabilities. CVE-81452CVE-81222CVE-2012-4335CVE-2012-4334CVE-2012-4333CVE-81221CVE-2012-4330CVE-2012-4329 . dos exploit for Windows platform

Trust: 0.6

sources: EXPLOIT-DB: 18765

AFFECTED PRODUCTS

vendor:	samsung	model:	net-i ware	scope:	eq	version:	1.37	Trust: 1.3
vendor:	samsung	model:	net-i ware	scope:	lte	version:	<=1.37	Trust: 0.6
vendor:	samsung	model:	tv	scope:	eq	version:	0	Trust: 0.3
vendor:	samsung	model:	bd	scope:	eq	version:	0	Trust: 0.3
vendor:	samsung	model:	net-i viewer	scope:	eq	version:	1.37	Trust: 0.3

sources: BID: 53161 // BID: 53193 // EXPLOIT-DB: 18765 // EDBNET: 41078

EXPLOIT

#######################################################################

Luigi Auriemma

Application: Samsung NET-i ware
http://www.samsungsecurity.com/product/product_view.asp?idx=6447
http://www.samsungsecurity.com/product/product_view.asp?idx=5828
Versions: <= 1.37
Platforms: Windows
Bugs: A] Endless loop in remote services
B] Code execution in ConnectDDNS ActiveX
C] Stack overflow in BackupToAvi ActiveX
Exploitation: remote
Date: 21 Apr 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

"Recording software for Samsung network cameras".

#######################################################################

=======
2) Bugs
=======

----------------------------------
A] Endless loop in remote services
----------------------------------

All the NET-i ware services are affected by an endless loop caused by
the wrong handling of negative 32bit size fields.

----------------------------------------
B] Code execution in ConnectDDNS ActiveX
----------------------------------------

Code execution vulnerability in the ConnectDDNS method used by the
following ActiveX components:
- EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3
- 17A7F731-C9EC-461C-B813-2F42A1BB58EB

10022F80 8B02 MOV EAX,DWORD PTR DS:[EDX]
10022F82 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
10022F85 FF10 CALL DWORD PTR DS:[EAX]

The bug is not much reliable to replicate so I report it just for
reference.
No additional research performed.

----------------------------------------
C] Stack overflow in BackupToAvi ActiveX
----------------------------------------

Stack overflow in the BackupToAvi method used by the ActiveX components
3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A and
208650B1-3CA1-4406-926D-45F2DBB9C299.

#######################################################################

===========
3) The Code
===========

A]
http://aluigi.org/testz/udpsz.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/18765-1.zip

NiwMasterService:
udpsz -b 0x80 -T SERVER 4505 0x28

NiwStorageService:
udpsz -T -c "REM" 0 -C 80808080 0x10 SERVER 4508 0x14

B,C]
http://aluigi.org/poc/netiware_1b.zip

#######################################################################

======
4) Fix
======

No fix.

#######################################################################

Trust: 1.0

sources: EXPLOIT-DB: 18765

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 18765

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 18765

TYPE

Multiple Vulnerabilities

Trust: 1.6

sources: EXPLOIT-DB: 18765 // EDBNET: 41078

CREDITS

Luigi Auriemma

Trust: 0.6

sources: EXPLOIT-DB: 18765

EXTERNAL IDS

db:	NVD	id:	CVE-2012-4329	Trust: 1.9
db:	EXPLOIT-DB	id:	18765	Trust: 1.6
db:	NVD	id:	CVE-2012-4330	Trust: 1.3
db:	NVD	id:	CVE-2012-4334	Trust: 1.3
db:	NVD	id:	CVE-2012-4333	Trust: 1.3
db:	NVD	id:	CVE-2012-4335	Trust: 1.3
db:	EDBNET	id:	41078	Trust: 0.6
db:	BID	id:	53161	Trust: 0.3
db:	BID	id:	53193	Trust: 0.3

sources: BID: 53161 // BID: 53193 // EXPLOIT-DB: 18765 // EDBNET: 41078

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2012-4329	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2012-4334	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2012-4330	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2012-4333	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2012-4335	Trust: 1.0
url:	https://www.exploit-db.com/exploits/18765/	Trust: 0.6
url:	http://aluigi.org/adv/samsux_1-adv.txt	Trust: 0.3
url:	http://www.samsung.com/	Trust: 0.3
url:	http://www.samsungsecurity.com/product/product_view.asp?idx=5828	Trust: 0.3
url:	http://aluigi.org/adv/netiware_1-adv.txt	Trust: 0.3
url:	http://www.samsungsecurity.com/product/product_view.asp?idx=6447	Trust: 0.3

sources: BID: 53161 // BID: 53193 // EXPLOIT-DB: 18765 // EDBNET: 41078

SOURCES

db:	BID	id:	53161
db:	BID	id:	53193
db:	EXPLOIT-DB	id:	18765
db:	EDBNET	id:	41078

LAST UPDATE DATE

2022-07-27T09:22:10.667000+00:00

SOURCES UPDATE DATE

db:	BID	id:	53161	date:	2012-08-16T13:30:00
db:	BID	id:	53193	date:	2012-08-16T13:30:00

SOURCES RELEASE DATE

db:	BID	id:	53161	date:	2012-04-19T00:00:00
db:	BID	id:	53193	date:	2012-04-23T00:00:00
db:	EXPLOIT-DB	id:	18765	date:	2012-04-22T00:00:00
db:	EDBNET	id:	41078	date:	2012-04-22T00:00:00