TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

camera demo

The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:

File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True

This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:

/* DISPID=101 */
/* VT_BSTR [8] */
function OpenFileDlg(
        /* VT_BSTR [8] [in] */ $sFilter
        /* method OpenFileDlg */

By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure 
WideCharToMultiByte() call inside UltraMJCamX.ocx:

Call stack of main thread
Address    Stack      Procedure / arguments                                                                                                                   Called from                   Frame
001279FC   77E6F20B   kernel32.77E637DE                                                                                                                       kernel32.77E6F206             00127A0C
00127A10   0299F958   kernel32.WideCharToMultiByte                                                                                                            UltraMJC.0299F952             00127A0C
00127A14   00000003     CodePage = 3
00127A18   00000000     Options = 0
00127A1C   03835C5C     WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
00127A20   FFFFFFFF     WideCharCount = FFFFFFFF (-1.)
00127A24   00127A50     MultiByteStr = 00127A50
00127A28   00007532     MultiByteCount = 7532 (30002.)
00127A2C   00000000     pDefaultChar = NULL
00127A30   00000000     pDefaultCharUsed = NULL
00127A3C   029B11D0   UltraMJC.0299F920                                                                                                                       UltraMJC.029B11CB             00127A38

0299F934   8B45 08          mov eax,dword ptr ss:[ebp+8]
0299F937   C600 00          mov byte ptr ds:[eax],0
0299F93A   6A 00            push 0
0299F93C   6A 00            push 0
0299F93E   8B4D 10          mov ecx,dword ptr ss:[ebp+10]
0299F941   51               push ecx
0299F942   8B55 08          mov edx,dword ptr ss:[ebp+8]
0299F945   52               push edx
0299F946   6A FF            push -1
0299F948   8B45 0C          mov eax,dword ptr ss:[ebp+C]
0299F94B   50               push eax
0299F94C   6A 00            push 0
0299F94E   8B4D 14          mov ecx,dword ptr ss:[ebp+14]
0299F951   51               push ecx
0299F952   FF15 20319F02    call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------

The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.
As attachment, basic proof of concept code.