[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <d65cd43905031002244b011070@mail.gmail.com>
From: smaillist at gmail.com (Sowhat .)
Subject: Multiple Vulnerabilities of PY Software Active
Webcam WebServer
Multiple Vulnerabilities of PY Software Active Webcam WebServer
By Sowhat
04.Jan.2005
http://secway.org/advisory/ad20050104.txt
Product:
PY Software Active Webcam 5.5
Vendor:
PY Software, Inc.
(1) Introduction
Active WebCam is a popular shareware program for capturing video
streams from video devices for Microsoft Windows platforms.
For more information: www.pysoft.com
(2) Details:
There are multiple vulnerabilities founded in Pysoft Active Webcam
WebServer,including Denial of Service and Information Disclosure.
<1> Floppy Disk request Denial of Service
http://172.16.15.8:8080/A:\a.txt
This request will force the webcam.exe to access the A:\a.txt,
And if there is no floppy disk in the A: dirver, the system will popup
a message like "There is no disk in the drive. Please insert a disk
into drive A: ".
Before the administrator press "Cancel" or "Yes",the other request
will be paused,that means the other user cannt Access the HTTP
Server,thus leading to a Denial Of Service.
<2> Filelist.html Denial of service
http://172.16.15.8:8080/Filelist.html
When requesting the filelist.html,the target's CPU usage will be
100%,and it seems that Explorer.exe use 95%,I dont know why :)
<3> Physical path Disclosure
http://172.16.15.8:8080/a
The Server will return "The requested file: C:\Program Files\Active
WebCam\images\a\ was not found."
<4> File Disclosure
The http server returns the different result between an existed file
and a non-exsit file.
http://172.16.15.8:8080/c:\nonexsit.txt
the HTTP Server returns "Active WebCam cannot find this file"
http://172.16.15.8:8080/c:\boot.ini
the HTTP Server returns "HTTP 403 Forbiden"
Thus leading to System information disclosure ,and can be used to
verify whether some particular software is installed,for example :
http://172.16.15.8:8080/C:\Snort\bin\snort.exe
will disclosure whether a snort is installed on the server,and give
more useful information to the attacker.
<5> Memory exhaust Denial of service
It seems that webcam http server cannt correctly release the memory
and thus lead to a denial of service.
Simply connect() and send() a http request,webcam.exe will eat at
least 52k memory,and send the http request thousands times,the system
will encounter a Memory exhaust.
The webcam.exe will crash ,or the http server will automaticlly
continuse restart
The following information was found in System Event Log,
"Access violation at address 00402254 in module 'WebCam.exe'. Write of
address FE171055."
"Invalid pointer operation."
(3) Vendor Reply
Reported on 2005.03.05,No reply yet.
Powered by blists - more mailing lists