####################################################################### Luigi Auriemma Application: Asus Video Security http://www.asus.com/products1.aspx?l1=2&share=icon/12 Versions: <= 3.5.0.0 (the version number is chaotic, this one seems the most recent but doesn't exist an official website with the latest updates and Asus didn't reply to me) Platforms: Windows Bugs: A] authorization buffer-overflow B] directory traversal Exploitation: remote Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Asus Video Security is a monitoring software bundled with Asus graphic cards. By default the built-in web server is disabled so these bugs can be exploited "only" if it has been manually activated. ####################################################################### ======= 2) Bugs ======= -------------------------------- A] authorization buffer-overflow -------------------------------- Exists a buffer-overflow which happens during the handling of the decoded (base64) username:password string sent to a password protected ASUS Video Security web server. The server is not vulnerable if doesn't use authorization. ---------------------- B] directory traversal ---------------------- The built-in web server is also vulnerable to a classical directory traversal bug which allows an attacker to download any file in the disk where the program is installed. That's possible through the usage of the dot-dot-slash and backslash patterns (HTTP encoded chars are not allowed in the web server). If the server is protected with password the attacker must know the right keyword. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/asusvsbugs.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the vendor. #######################################################################