Some vulnerabilities have been reported in KingView, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose potentially sensitive information, and compromise a vulnerable system.

1) An error within NetGenius.exe can be exploited to read an invalid pointer and cause a buffer overflow and crash the service via a specially crafted packet.

2) Input passed via the URL to Touchview.exe is not properly verified before being used to access files. This can be exploited to access arbitrary local files via directory traversal attacks.

3) The application loads an unspecified library in an insecure manner. This can be exploited to load an arbitrary library by e.g. tricking a user into opening an unspecified file located on a remote WebDAV or SMB share.

4) A boundary error in Touchview.exe when processing certain requests can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to TCP port 555.

5) A boundary error in Touchview.exe when processing certain requests can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 555.

Successful exploitation of vulnerabilities #4-5 may allow execution of arbitrary code, but requires a project to be configured with a login server network option (disabled by default).

6) An error within KingView can be exploited to cause an out-of-bounds read via a specially crafted packet sent to port 2001.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

7) An error within KingView can be exploited to disclose arbitrary information by sending a specially crafted HTTP request containing directory traversal sequences to port 8001.

Vulnerabilities #1-5 are reported in versions prior to 65.30.17249 (TouchExplorer version 65.30.2003.17249 and Touchview version 65.30.2003.17376) and vulnerabilities #6-7 are reported in version 6.53.

Solution
Apply patch.
Further details available to Secunia VIM customers

Provided and/or discovered by
1, 2) The vendor credits an anonymous person via ICS-CERT.
3) ICS-CERT credits Carlos Mario Peñagos Hollman.
4) Carlos Mario Penagos Hollmann.
5) Carlos Mario Penagos Hollmann and Dillon Beresford.
6, 7) ICS-CERT credits Dillon Beresford.

Changelog
Further details available to Secunia VIM customers

Original Advisory
WellinTech KingView:
http://en.wellintech.com/news/detail.aspx?contentid=168
http://en.wellintech.com/index.php/news/33-patch-for-kingview653

ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-122-01.pdf
http://www.us-cert.gov/control_systems/pdf/ICSA-12-185-01.pdf

Carlos Mario Penagos Hollmann:
http://www.exploit-db.com/exploits/19389/

Deep Links
Links available to Secunia VIM customers