lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 10 Mar 2005 18:24:41 +0800
From: "Sowhat ." <smaillist@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Multiple Vulnerabilities of PY Software Active
	Webcam WebServer


Multiple Vulnerabilities of PY Software Active Webcam WebServer

By Sowhat
04.Jan.2005
http://secway.org/advisory/ad20050104.txt


Product:
PY Software Active Webcam 5.5

Vendor:
PY Software, Inc. 

(1) Introduction
Active WebCam is a popular shareware program for capturing video
streams from video devices for Microsoft Windows platforms.
For more information: www.pysoft.com

(2) Details:
There are multiple vulnerabilities founded in Pysoft Active Webcam
WebServer,including Denial of Service and Information Disclosure.

<1> Floppy Disk request Denial of Service

http://172.16.15.8:8080/A:\a.txt
This request will force the webcam.exe to access the A:\a.txt,
And if there is no floppy disk in the A: dirver, the system will popup
a message like "There is no disk in the drive. Please insert a disk
into drive A:  ".
Before the administrator press "Cancel" or "Yes",the other request
will be paused,that means the other user cannt Access the HTTP
Server,thus leading to a Denial Of Service.

<2> Filelist.html Denial of service

http://172.16.15.8:8080/Filelist.html
When requesting the filelist.html,the target's CPU usage will be
100%,and it seems that Explorer.exe use 95%,I dont know why :)

<3> Physical path Disclosure

http://172.16.15.8:8080/a
The Server will return "The requested file: C:\Program Files\Active
WebCam\images\a\ was not found."

<4> File Disclosure

The http server returns the different result between an existed file
and a non-exsit file.
http://172.16.15.8:8080/c:\nonexsit.txt
the HTTP Server returns "Active WebCam cannot find this file"
http://172.16.15.8:8080/c:\boot.ini
the HTTP Server returns "HTTP 403 Forbiden"

Thus leading to System information disclosure ,and can be used to
verify whether  some particular software is installed,for example :
http://172.16.15.8:8080/C:\Snort\bin\snort.exe
will disclosure whether a snort is installed on the server,and give
more useful information to the attacker.

<5> Memory exhaust Denial of service

It seems that webcam http server cannt correctly release the memory
and thus lead to a denial of service.
Simply connect() and send() a http request,webcam.exe will eat at
least 52k memory,and send the http request thousands times,the system
will encounter a Memory exhaust.
The webcam.exe will crash ,or the http server will automaticlly
continuse restart
The following information was found in System Event Log, 
"Access violation at address 00402254 in module 'WebCam.exe'. Write of
address FE171055."
"Invalid pointer operation."

(3) Vendor Reply

Reported on 2005.03.05,No reply yet.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ