Re: [Full-disclosure] Multiple Vulnerabilities of PY Software Active Webcam WebServer

From: Paul Kurczaba (seclists_at_securinews.com)
Date: 03/11/05

  • Next message: Jason Coombs: "Re: [Full-disclosure] Fwd: NDA & SOX?" 
    Date: Fri, 11 Mar 2005 14:58:52 -0500
To: "Sowhat ." <smaillist@gmail.com>

    It appers that the server does not use multithreading...

    QUOTE START:
    Before the administrator press "Cancel" or "Yes",the other request
    will be paused,that means the other user cannt Access the HTTP
    Server,thus leading to a Denial Of Service
    QUOTE END

    Sowhat . wrote:
    > Multiple Vulnerabilities of PY Software Active Webcam WebServer
    >
    > By Sowhat
    > 04.Jan.2005
    > http://secway.org/advisory/ad20050104.txt
    >
    >
    > Product:
    > PY Software Active Webcam 5.5
    >
    > Vendor:
    > PY Software, Inc.
    >
    > (1) Introduction
    > Active WebCam is a popular shareware program for capturing video
    > streams from video devices for Microsoft Windows platforms.
    > For more information: www.pysoft.com
    >
    > (2) Details:
    > There are multiple vulnerabilities founded in Pysoft Active Webcam
    > WebServer,including Denial of Service and Information Disclosure.
    >
    > <1> Floppy Disk request Denial of Service
    >
    > http://172.16.15.8:8080/A:\a.txt
    > This request will force the webcam.exe to access the A:\a.txt,
    > And if there is no floppy disk in the A: dirver, the system will popup
    > a message like "There is no disk in the drive. Please insert a disk
    > into drive A: ".
    > Before the administrator press "Cancel" or "Yes",the other request
    > will be paused,that means the other user cannt Access the HTTP
    > Server,thus leading to a Denial Of Service.
    >
    > <2> Filelist.html Denial of service
    >
    > http://172.16.15.8:8080/Filelist.html
    > When requesting the filelist.html,the target's CPU usage will be
    > 100%,and it seems that Explorer.exe use 95%,I dont know why :)
    >
    > <3> Physical path Disclosure
    >
    > http://172.16.15.8:8080/a
    > The Server will return "The requested file: C:\Program Files\Active
    > WebCam\images\a\ was not found."
    >
    > <4> File Disclosure
    >
    > The http server returns the different result between an existed file
    > and a non-exsit file.
    > http://172.16.15.8:8080/c:\nonexsit.txt
    > the HTTP Server returns "Active WebCam cannot find this file"
    > http://172.16.15.8:8080/c:\boot.ini
    > the HTTP Server returns "HTTP 403 Forbiden"
    >
    > Thus leading to System information disclosure ,and can be used to
    > verify whether some particular software is installed,for example :
    > http://172.16.15.8:8080/C:\Snort\bin\snort.exe
    > will disclosure whether a snort is installed on the server,and give
    > more useful information to the attacker.
    >
    > <5> Memory exhaust Denial of service
    >
    > It seems that webcam http server cannt correctly release the memory
    > and thus lead to a denial of service.
    > Simply connect() and send() a http request,webcam.exe will eat at
    > least 52k memory,and send the http request thousands times,the system
    > will encounter a Memory exhaust.
    > The webcam.exe will crash ,or the http server will automaticlly
    > continuse restart
    > The following information was found in System Event Log,
    > "Access violation at address 00402254 in module 'WebCam.exe'. Write of
    > address FE171055."
    > "Invalid pointer operation."
    >
    > (3) Vendor Reply
    >
    > Reported on 2005.03.05,No reply yet.
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://www.secunia.com/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://www.secunia.com/

  • Next message: Jason Coombs: "Re: [Full-disclosure] Fwd: NDA & SOX?"

    Relevant Pages

    • Re: breaking the model
      ... > The forms data then is in the Request object. ... HTTP Request; in this case, the form POST Request from the Page. ... client and server. ...
      (microsoft.public.dotnet.framework.aspnet)
    • httpedit: low-level interface to HTTP
      ... We just published httpedit, ... any of the data you are sending, e.g. when debugging an HTTP server ... By modifying the request and seeing the response on the same ...
      (Pen-Test)
    • Re: How to write something to a html textfield and send it?
      ... > No need for controlling any particular browser. ... I'm not familiar with HTTP user ... and building the request in your program. ... The server doesn't know anything about a textfield; ...
      (comp.programming)
    • Re: Http POST requests changed to GET by proxy?
      ... between the applet and the servlet engine. ... When our applet creates a HTTP connection to the server it uses ... unknown and creates an HTTP GET request, thus doGet will be called on ...
      (comp.lang.java.programmer)
    • RE: Outlook RPC over HTTp deosnt work
      ... try to use RPC over HTTP to connect the Exchange Server. ... What SBS is running on the problematic Server? ...
      (microsoft.public.windows.server.sbs)