Cisco Linksys PTZ Internet Video Camera PlayerPT ActiveX Overflow

Added: 04/19/2012
BID: 52673
OSVDB: 80297

Background

The Cisco WVC200 Wireless-G PTZ Internet Video Camera sends live video through the Internet to a web browser anywhere in the world. Viewers can access the video stream through an HTTP service, which requires an ActiveX client to be installed in the user's browser.

Problem

The PlayerPT.ocx ActiveX Control installed by the camera server is vulnerable to a buffer overflow via the SetSource() method. If a user with this control browses to a malicious website, that site can exploit this vulnerability to gain control of the user's system.

Resolution

Set the kill bit for Class ID 9E065E4A-BD9D-4547-8F90-985DC62A5591 as described in Microsoft Knowledge Base Article 240797.

References

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6918/ps9692/ps9944/ps9946/data_sheet_c78-504106.html
http://retrogod.altervista.org/9sg_linksys_playerpt.htm
http://secunia.com/advisories/48543/

Limitations

This exploit has been tested against Cisco Systems PlayerPT 1.0.0.15 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn)
The exploit script runs as a web server and publishes a crafted HTML page. The HTML page must be opened using Internet Explorer 8 or 9 on the target.
JRE 1.6.x must be installed on the Windows 7 targets on which web browser is opened.

Platforms

Windows

Back to exploit index