Access violation and limited informations disclosure in webcamXP 3.72.440.0

2008-12-21 / 2008-12-22
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 9.4/10
Impact Subscore: 9.2/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: None
Availability impact: Complete

####################################################################### Luigi Auriemma Application: webcamXP http://www.webcamxp.com Versions: <= 3.72.440.0 <= beta 4.05.280 Platforms: Windows Bug: access violation with limited informations disclosure Exploitation: remote Date: 18 Feb 2008 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== webcamXP is a commercial webcam software with an integrated webserver for sharing the own videos. ####################################################################### ====== 2) Bug ====== The pocketpc and show_gallery_pic URI are used by the external users for watching the images of the current webcams. The problem is that there are no checks on the webcam's number passed by the client allowing an attacker to go outside the array which contains all the data about each webcam. The main effect of this bug is the silent interruption of the service due to the access violation caused by the reading of unallocated memory and visible in the browser of the client who has performed the malicious request. For example /pocketpc allows to access the memory above and below offset 007196f0 (the location of the array in version 3.72.440.0) with steps of 6360 bytes for each webcam number. The secondary effect is the possibility of reading 8 bytes of the process's memory in a partial arbitrary way (the array's offset is fixed but is only possible to jump 6360 bytes at time) since /pocketpc displays these two 32 bit numbers in the "width" and "height" parameters of the returned HTML page as visible in the assembly code starting from offset 006BD46F. ####################################################################### =========== 3) The Code =========== http://SERVER:8080/pocketpc?camnum=999999&mode=0 http://SERVER:8080/pocketpc?camnum=-999999&mode=0 http://SERVER:8080/show_gallery_pic?id=999999 ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org

References:

http://www.securityfocus.com/bid/27875
http://www.securityfocus.com/archive/1/archive/1/488364/100/200/threaded
http://secunia.com/advisories/29007


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top