Samsung iPOLiS Device Manager ReadConfigValue vulnerability

Added: 04/27/2015
CVE: CVE-2015-0555
OSVDB: 118668

Background

Samsung iPOLiS Device Manager is software for managing network devices. It comes with an ActiveX control called XnsSdkDeviceIpInstaller.ocx.

Problem

A buffer overflow vulnerability in the ReadConfigValue and WriteConfigValue methods in the XnsSdkDeviceIpInstaller.ocx ActiveX control allows command execution when a user loads a specially crafted web page.

Resolution

There is no known fix for this vulnerability. Remove the ActiveX control or avoid loading pages from untrusted sites.

References

http://seclists.org/fulldisclosure/2015/Feb/81

Limitations

Exploit works on Windows XP SP3 with IE 6 and 7, and requires a user to load the exploit page in Internet Explorer.

Platforms

Windows

Back to exploit index