lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080219231219.46cc81e7.aluigi@autistici.org>
Date: Tue, 19 Feb 2008 23:12:19 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, news@...uriteam.com,
	full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Access violation and limited informations disclosure in webcamXP
 3.72.440.0


#######################################################################

                             Luigi Auriemma

Application:  webcamXP
              http://www.webcamxp.com
Versions:     <= 3.72.440.0
              <= beta 4.05.280
Platforms:    Windows
Bug:          access violation with limited informations disclosure
Exploitation: remote
Date:         18 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


webcamXP is a commercial webcam software with an integrated webserver
for sharing the own videos.


#######################################################################

======
2) Bug
======


The pocketpc and show_gallery_pic URI are used by the external users
for watching the images of the current webcams.
The problem is that there are no checks on the webcam's number passed
by the client allowing an attacker to go outside the array which
contains all the data about each webcam.

The main effect of this bug is the silent interruption of the service
due to the access violation caused by the reading of unallocated
memory and visible in the browser of the client who has performed the
malicious request.
For example /pocketpc allows to access the memory above and below
offset 007196f0 (the location of the array in version 3.72.440.0) with
steps of 6360 bytes for each webcam number.

The secondary effect is the possibility of reading 8 bytes of the
process's memory in a partial arbitrary way (the array's offset is
fixed but is only possible to jump 6360 bytes at time) since /pocketpc
displays these two 32 bit numbers in the "width" and "height"
parameters of the returned HTML page as visible in the assembly code
starting from offset 006BD46F.


#######################################################################

===========
3) The Code
===========


http://SERVER:8080/pocketpc?camnum=999999&mode=0
http://SERVER:8080/pocketpc?camnum=-999999&mode=0
http://SERVER:8080/show_gallery_pic?id=999999


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ