|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 4788 CVE : CVE-2008-5674 CWE : CWE-20 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : Yes Credit : Luigi Auriemma Published : 22.12.2008
Advisory Content : ####################################################################### Luigi Auriemma Application: webcamXP http://www.webcamxp.com Versions: <= 3.72.440.0 <= beta 4.05.280 Platforms: Windows Bug: access violation with limited informations disclosure Exploitation: remote Date: 18 Feb 2008 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== webcamXP is a commercial webcam software with an integrated webserver for sharing the own videos. ####################################################################### ====== 2) Bug ====== The pocketpc and show_gallery_pic URI are used by the external users for watching the images of the current webcams. The problem is that there are no checks on the webcam's number passed by the client allowing an attacker to go outside the array which contains all the data about each webcam. The main effect of this bug is the silent interruption of the service due to the access violation caused by the reading of unallocated memory and visible in the browser of the client who has performed the malicious request. For example /pocketpc allows to access the memory above and below offset 007196f0 (the location of the array in version 3.72.440.0) with steps of 6360 bytes for each webcam number. The secondary effect is the possibility of reading 8 bytes of the process's memory in a partial arbitrary way (the array's offset is fixed but is only possible to jump 6360 bytes at time) since /pocketpc displays these two 32 bit numbers in the "width" and "height" parameters of the returned HTML page as visible in the assembly code starting from offset 006BD46F. ####################################################################### =========== 3) The Code =========== http://SERVER:8080/pocketpc?camnum=999999&mode=0 http://SERVER:8080/pocketpc?camnum=-999999&mode=0 http://SERVER:8080/show_gallery_pic?id=999999 ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org References : http://www.securityfocus.com/bid/27875
http://www.securityfocus.com/archive/1/archive/1/488364/100/200/threaded
http://secunia.com/advisories/29007  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |