[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080219231219.46cc81e7.aluigi@autistici.org>
Date: Tue, 19 Feb 2008 23:12:19 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, news@...uriteam.com,
full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
packet@...ketstormsecurity.org
Subject: Access violation and limited informations disclosure in webcamXP
3.72.440.0
#######################################################################
Luigi Auriemma
Application: webcamXP
http://www.webcamxp.com
Versions: <= 3.72.440.0
<= beta 4.05.280
Platforms: Windows
Bug: access violation with limited informations disclosure
Exploitation: remote
Date: 18 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
webcamXP is a commercial webcam software with an integrated webserver
for sharing the own videos.
#######################################################################
======
2) Bug
======
The pocketpc and show_gallery_pic URI are used by the external users
for watching the images of the current webcams.
The problem is that there are no checks on the webcam's number passed
by the client allowing an attacker to go outside the array which
contains all the data about each webcam.
The main effect of this bug is the silent interruption of the service
due to the access violation caused by the reading of unallocated
memory and visible in the browser of the client who has performed the
malicious request.
For example /pocketpc allows to access the memory above and below
offset 007196f0 (the location of the array in version 3.72.440.0) with
steps of 6360 bytes for each webcam number.
The secondary effect is the possibility of reading 8 bytes of the
process's memory in a partial arbitrary way (the array's offset is
fixed but is only possible to jump 6360 bytes at time) since /pocketpc
displays these two 32 bit numbers in the "width" and "height"
parameters of the returned HTML page as visible in the assembly code
starting from offset 006BD46F.
#######################################################################
===========
3) The Code
===========
http://SERVER:8080/pocketpc?camnum=999999&mode=0
http://SERVER:8080/pocketpc?camnum=-999999&mode=0
http://SERVER:8080/show_gallery_pic?id=999999
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
Powered by blists - more mailing lists