Some vulnerabilities have been reported in KingView, which can be exploited by malicious people to cause a DoS (Denial of Service), disclose potentially sensitive information, and compromise a vulnerable system.
1) An error within NetGenius.exe can be exploited to read an invalid pointer and cause a buffer overflow and crash the service via a specially crafted packet.
2) Input passed via the URL to Touchview.exe is not properly verified before being used to access files. This can be exploited to access arbitrary local files via directory traversal attacks.
3) The application loads an unspecified library in an insecure manner. This can be exploited to load an arbitrary library by e.g. tricking a user into opening an unspecified file located on a remote WebDAV or SMB share.
4) A boundary error in Touchview.exe when processing certain requests can be exploited to cause a heap-based buffer overflow via a specially crafted packet sent to TCP port 555.
5) A boundary error in Touchview.exe when processing certain requests can be exploited to cause a stack-based buffer overflow via a specially crafted packet sent to TCP port 555.
Successful exploitation of vulnerabilities #4-5 may allow execution of arbitrary code, but requires a project to be configured with a login server network option (disabled by default).
6) An error within KingView can be exploited to cause an out-of-bounds read via a specially crafted packet sent to port 2001.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
7) An error within KingView can be exploited to disclose arbitrary information by sending a specially crafted HTTP request containing directory traversal sequences to port 8001.
Vulnerabilities #1-5 are reported in versions prior to 65.30.17249 (TouchExplorer version 65.30.2003.17249 and Touchview version 65.30.2003.17376) and vulnerabilities #6-7 are reported in version 6.53.
Provided and/or discovered by: 1, 2) The vendor credits an anonymous person via ICS-CERT.
3) ICS-CERT credits Carlos Mario Peñagos Hollman.
4) Carlos Mario Penagos Hollmann.
5) Carlos Mario Penagos Hollmann and Dillon Beresford.
6, 7) ICS-CERT credits Dillon Beresford.
Original Advisory: WellinTech KingView:
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: KingView Multiple Vulnerabilities
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.