ID

VAR-201210-0439

CVE

CVE-2012-5306

TITLE

D-Link DCS-5605 PTZ ActiveX Control 'SelectDirectory()' Method Buffer Overflow Vulnerability

DESCRIPTION

Stack-based buffer overflow in the SelectDirectory method in DcsCliCtrl.dll in Camera Stream Client ActiveX Control, as used in D-Link DCS-5605 PTZ IP Network Camera, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string argument. The D-Link DCS-5605 is a webcam product for remote monitoring. When browsing the device WEB interface, the user will be asked to install the Active control to view the video stream content. The control contained in the DcsCliCtrl.dll uses the unsafe SelectDirectory() method. Since DcsCliCtrl.dll is called with an unsafe lstrcpyW() call, Special parameters trigger a stack-based buffer overflow. D-Link DCS-5605 PTZ is prone to a stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code within the context of the application, typically Internet Explorer, that uses the ActiveX control. Failed exploit attempts will result in denial-of-service conditions. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Camera Stream Client ActiveX Control "SetDirectory()" Buffer Overflow SECUNIA ADVISORY ID: SA48602 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48602/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48602 RELEASE DATE: 2012-03-29 DISCUSS ADVISORY: http://secunia.com/advisories/48602/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48602/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48602 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Andrea Micalizzi has discovered a vulnerability in Camera Stream Client ActiveX Control, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when handling the "SetDirectory()" method and can be exploited to cause a stack-based buffer overflow by passing an overly long argument. Successful exploitation allows execution of arbitrary code, but requires users to click "OK" to select a directory in the displayed "Browse for Folder" dialog box instead of "Cancel". The vulnerability is confirmed in version 1.0.0.4519 bundled with DCS-5605 firmware 1.02 and version 1.0.0.4617 bundled with D-Link DCS-2102 firmware 1.05. Other versions may also be affected. SOLUTION: Set the kill-bit for the affected ActiveX control. PROVIDED AND/OR DISCOVERED BY: Andrea Micalizzi (rgod) ORIGINAL ADVISORY: http://retrogod.altervista.org/9sg_dlink_adv.htm OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

rgod

SOURCES

LAST UPDATE DATE

2025-04-11T19:48:22.058000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE