ID

VAR-201207-0320

CVE

CVE-2012-0284

TITLE

Cisco Linksys PlayerPT ActiveX Stack-based buffer overflow vulnerability in Control

DESCRIPTION

Stack-based buffer overflow in the SetSource method in the Cisco Linksys PlayerPT ActiveX control 1.0.0.15 in PlayerPT.ocx on the Cisco WVC200 Wireless-G PTZ Internet video camera allows remote attackers to execute arbitrary code via a long URL in the first argument (aka the sURL argument). Cisco Linksys PlayerPT ActiveX Control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions. Cisco Linksys PlayerPT 1.0.0.15 is vulnerable; other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System compromise Where: Remote ====================================================================== 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Cisco Linksys PlayerPT ActiveX Control, which can be exploited by malicious people to compromise a user's system. The ActiveX control is marked safe-for-scripting and one of the provided methods is: "SetSource()", which is used to set the source of the footage to view. The method accepts five string arguments where the first ("sURL") is the URL to the footage. When a web page instantiates the ActiveX control and invokes the "SetSource()" method, the function in PlayerPT.ocx responsible for handling this method is called. The function performs various checks on the supplied arguments including a check to determine if the "sFrameType" string (2nd argument) is set to "mpeg". If so, the function searches for and strips "img/video.asf" from the provided URL in the "sURL" argument; if not, "img/mjpeg.cgi" is used. The URL is stored to a CString object and URLs to various resources are crafted based on the base URL including an URL to the "img/query.cgi" resource. Later, this URL is copied into a 256 byte stack buffer via a call to sprintf() without performing any size checks. This can be exploited to cause a stack-based buffer overflow via an overly long, specially crafted URL. Successful exploitation allows execution of arbitrary code. ====================================================================== 4) Solution According to the vendor, the ActiveX control is bundled only with products considered EOL and, therefore, itself considered EOL. The vendor is currently working on getting the kill-bit set. As a workaround, set the kill-bit for the following CLSID: * {9E065E4A-BD9D-4547-8F90-985DC62A5591} ====================================================================== 5) Time Table 23/03/2012 - Vulnerability discovered while analysing public report of similar vulnerability (SA48543#1). 23/03/2012 - Vendor notified. 02/04/2012 - Vendor response (WVC200 product bundling the ActiveX control has become EOL). 03/04/2012 - Vendor informed that ActiveX control should have kill-bit set if considered EOL and asked to confirm that no currently supported products bundle it. 13/04/2012 - Status update requested. 15/04/2012 - Vendor response (currently checking which products bundle the ActiveX control and looking into setting kill-bit). 21/06/2012 - Status update requested. 13/07/2012 - Status update requested. 13/07/2012 - Vendor response (determined that no supported products bundle the vulnerable ActiveX control and looking into setting kill-bit). 17/07/2012 - Public disclosure. ====================================================================== 6) Credits Discovered by Carsten Eiram, Secunia Research. ====================================================================== 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2012-0284 for the vulnerability. ====================================================================== 8) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2012-25/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer overflow

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Carsten Eiram

SOURCES

LAST UPDATE DATE

2025-04-11T21:21:30.734000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE