####################################################################### Luigi Auriemma Application: webcamXP http://www.webcamxp.com Versions: <= 3.72.440.0 <= beta 4.05.280 Platforms: Windows Bug: access violation with limited informations disclosure Exploitation: remote Date: 18 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== webcamXP is a commercial webcam software with an integrated webserver for sharing the own videos. ####################################################################### ====== 2) Bug ====== The pocketpc and show_gallery_pic URI are used by the external users for watching the images of the current webcams. The problem is that there are no checks on the webcam's number passed by the client allowing an attacker to go outside the array which contains all the data about each webcam. The main effect of this bug is the silent interruption of the service due to the access violation caused by the reading of unallocated memory and visible in the browser of the client who has performed the malicious request. For example /pocketpc allows to access the memory above and below offset 007196f0 (the location of the array in version 3.72.440.0) with steps of 6360 bytes for each webcam number. The secondary effect is the possibility of reading 8 bytes of the process's memory in a partial arbitrary way (the array's offset is fixed but is only possible to jump 6360 bytes at time) since /pocketpc displays these two 32 bit numbers in the "width" and "height" parameters of the returned HTML page as visible in the assembly code starting from offset 006BD46F. ####################################################################### =========== 3) The Code =========== http://SERVER:8080/pocketpc?camnum=999999&mode=0 http://SERVER:8080/pocketpc?camnum=-999999&mode=0 http://SERVER:8080/show_gallery_pic?id=999999 ####################################################################### ====== 4) Fix ====== No fix #######################################################################