####################################################################### Luigi Auriemma Application: TrackerCam http://www.trackercam.com Versions: <= 5.12 Platforms: Windows Bugs: A] User-Agent buffer-overflow B] PHP argument buffer-overflow C] directory traversal and full path disclosure D] html injection in log file E] informations disclosure F] crash caused by multiple error messages Exploitation: remote Date: 18 Feb 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== TrackerCam is a webcam http server with the possibility to be publically and easily visible through the TrackerCam community page: http://www.trackercam.com/livecams ####################################################################### ======= 2) Bugs ======= ----------------------------- A] User-Agent buffer-overflow ----------------------------- An HTTP request containing an User-Agent field longer than 216 bytes leads to a buffer-overflow. ------------------------------- B] PHP argument buffer-overflow ------------------------------- As above but this buffer-overflow happens when the server handles an argument longer than 256 bytes passed to any PHP script. Example: http://host:8090/MessageBoard/messages.php?aaaaaaaaaaa...aaaa ----------------------------------------------- C] directory traversal and full path disclosure ----------------------------------------------- TrackerCam has a PHP script accessible by anyone (bug E) that is used to watch the log files from the web interface. The problem is that the log filename is passed through a PHP argument and there are no security checks in the script so an attacker can choose what file to read and moreover from what location since is possible to use a directory traversal attack. If the file doesn't exist or no arguments are passed will be showed the full physical path on which is located the ComGetLogFile.php3 script. Both slash, backslash and their hex values are allowed. Example: http://host:8090/tuner/ComGetLogFile.php3?fn=../../../../windows/system.ini ----------------------------- D] html injection in log file ----------------------------- Any login (correct or wrong) is logged in the current log file of the month. As already said this file is also visible through a web browser allowing an attacker to put HTML or any other code supported by the admin's browser in the log file through a login request. -------------------------- E] informations disclosure -------------------------- As said in bug C, is possible to reach the ComGetLogFile.php3 script without restrictions in fact also the servers protected by passwords have ever some interesting zones accessible by anyone and the log file is just one of those, or at least that causing a threat. In this file in fact are logged both wrong and correct logins so is possible to guess the working passwords (that naturally are not stored in the file), know what IP addresses have accessed the server or retrieve other small informations. Each log file contains the logins of the entire month so an example of log filename for the current month is: http://host:8090/tuner/ComGetLogFile.php3?fn=Eye2005_02.log ------------------------------------------ F] crash caused by multiple error messages ------------------------------------------ If the server receives a negative Content-Length, it will show a simple MessageBox with an "insufficient memory" error and the same happens for any subsequent bad request like that. After about 300 of these consecutive errors the server crashs. Another similar problem (just to take note, but not so important) happens after the sending of about 10 megabytes of data. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/tcambof.zip ####################################################################### ====== 4) Fix ====== No fix. The developers don't seem interested to fix these bugs. #######################################################################