[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050502115525.925C7158074@chernobyl.investici.org>
Date: Mon, 2 May 2005 11:55:25 -0000
From: "Donato Ferrante" <fdonato@...istici.org>
To: <bugtraq@...urityfocus.com>, <vuln@...unia.com>,
<full-disclosure@...ts.grok.org.uk>, <bugs@...uritytracker.com>,
<news@...uriteam.com>
Subject: Multiple Vulnerabilities in Video Cam Server 1.0.0
Donato Ferrante
Application: Video Cam Server
http://vcs.raybase.com/
Version: 1.0.0
Bugs: Multiple Vulnerabilities
Date: 02-May-2005
Author: Donato Ferrante
e-mail: fdonato@...istici.org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bugs
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"Video Cam Server (VCS) is a server for publishing the image taken from
a Video Camera (especially Web Cam) connected to it. It will be very
useful for remote monitoring your home, office or other environment."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
2. The bugs:
-------------
The bugs are located into the built-in webserver.
By default no HTTP Authentication is set so a malicious user can:
i.
(path disclosure) know the remote current path, by sending an
http request for an unavailable page.
ii.
(directory traversal) go out the document root assigned to the
webserver by using common malicious patterns like: ".." into
http requests, and see/download all the files available on the
remote system.
iii.
(denial of service) shutdown http-server and/or camera, by using
admin's control page that it's not properly managed.
NOTE:
Reported vulnerabilities are also valid if the HTTP Authentication is
set, but in this case the malicious user must obtain login information.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerabilities:
i.
http://[host]/%20
ii.
http://[host]/..\..\..\..\..\..\..\..\..\..\..\windows\system.ini
or connect to the webserver and send a raw request like:
GET /../../../../../../../../../../../windows/system.ini HTTP/1.1
iii.
http://[host]/admin.html
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Vendor has been notified.
Bugs will be probably fixed in the next release.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists