Date: 13 May 2005 15:36:29 -0000
From: SecuBox fRoGGz <unsecure@...teme.com>
To: bugtraq@...urityfocus.com
Subject: Willings WebCam - Password Disclosure Issue




-----------------------------
Software: Willings WebCam
Corporation: Illustrate
Revision Date: May 09, 2005
Version: 2.8
Tested on: Windows 2000 SP4
Vulnerability: Local Password Disclosure Issue
----------------------------------------------


BACKGROUND
----------
Willing Webcam is a simple, yet fully-featured software tool designed to help you capture 
streaming video and snapshots and publish them on your website. To make your video production 
shine, you can enhance it with comments, date and time stamps, watermarks, and various live 
video effects. You can also create a digital album where images and videos are organized 
for fast retrieval and viewing. Uses a motion control detection sensor that wakes up your 
web camera at the slightest motion in the room. The sensor can trigger a variety of actions, 
including email sending, movie saving, FTP uploading, sound alarm, or a launch of any 
specified application. In addition to the motion sensor, the program has a time-lapse option. 
It allows you to record video at specified time intervals.
Source: www.willingsoftware.com


VULNERABLE PRODUCTS
-------------------
Willings WebCam <= 2.8
Willings WebCam Lite <= 2.8


CONTEXT
-------
In the option settings, you can define an administrator password to protect the local 
configuration access. If the password is forgotten, and that you decide to reinstall 
for re-initialize it... damned it doesn't work. This bug was discovered by Secubox Labs 
thanks to a customer who had lost his password. The recovery tool realisation allowed us 
to put the stress on a weakness software.


VULNERABILITY
-------------
The problem resides in the fact that the application will execute a function that loads 
the password in static memory before the user has even identified himself.
A simple read operation at this address will reveal the password.


**********************************
Memory: Willings WebCam ( ww.exe )
AllocationBase: 7B930000 - Read/Write - Private
-----------------------------------------------------------------------\
00 00 00 44 45 47 65 74 42 6C 6F 63 6B 46 6D 74 ; ...DEGetBlockFmt     |
4E 61 6D 65 73 50 61 72 61 6D 00 00 00 00 00 40 ; NamesParam.....@     |
00 00 00 00 00 00 00 31 00 00 00 44 45 47 65 74 ; .......1...DEGet     |
42 6C 6F 63 6B 46 6D 74 4E 61 6D 65 73 50 61 72 ; BlockFmtNamesPar     |
61 6D 2E 44 45 47 65 74 42 6C 6F 63 6B 46 6D 74 ; am.DEGetBlockFmt     |
4E 61 6D 65 73 50 61 72 61 6D 2E 31 00 00 00 20 ; NamesParam.1...      |
00 00 00 01 00 00 00 13 00 00 00 41 63 74 69 6F ; ...........Actio     |
6E 4E 65 74 77 6F 72 6B 43 61 6D 65 72 61 00 20 ; nNetworkCamera.      |____________
00 00 00 01 00 00 00 07 00 00 00 53 65 63 75 42 ; ...........SecuB  <--/ PLAIN TEXT \
6F 78 00 4E 44 20 50 41 53 53 57 4F 52 44 00 20 ; ox.ND PASSWORD.   <--\____________/
00 00 00 D0 8A 83 00 80 68 9F 7B 01 00 00 00 04 ; ...Њƒ.€hŸ{.....     |
00 00 00 65 78 00 00 65 50 61 72 61 6D 2E 44 40 ; ...ex..eParam.D@     |
00 00 00 01 00 00 00 1F 00 00 00 44 69 72 65 63 ; ...........Direc     |
74 58 20 76 69 64 65 6F 20 73 6F 75 72 63 65 2E ; tX video source.     |
20 20 43 74 72 6C 2B 46 31 30 00 44 65 6E 61 6C ;   Ctrl+F10.Denal     |
69 44 6C 67 39 38 2E 44 65 6E 61 6C 69 44 6C 00 ; iDlg98.DenaliDl.     |
01 00 00 68 35 7B 00 00 6E 93 7B 48 CF 94 7B 01 ; ...h5{..n“{HÏ”{.     |
-----------------------------------------------------------------------/

Class is "TFormJB" and Window name "Input Password"
Start -> 7b94cf68 - 47  - inc edi
The end, just find -> "ND PASSWORD"
***************************************************



VENDOR STATUS
-------------
Vendor have been contacted: 6 may 2005



CREDITS
----------------------
SecuBox Labs - fRoGGz
unsecure[at]writeme[dot]com
----------------------------

Powered by blists - more mailing lists