[NT] Webcam Watchdog Stack Overflow Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 01/05/04

  • Next message: SecuriTeam: "[UNIX] Linux Kernel do_mremap Local Privilege Escalation Vulnerability" 
    To: list@securiteam.com
Date: 5 Jan 2004 15:54:26 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Webcam Watchdog Stack Overflow Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     < http://www.webcamsoft.com/en/watchdog.html> Watchdog is "simply your
    best choice if you need to record video over a long time. You can setup
    Watchdog to initiate video recording when there's a motion detected.
    Watchdog can also alert you by emailing you the captured image and play
    the alarm sound". A vulnerability in the product allows remote users to
    overflow an internal buffer in the program, causing it to execute
    arbitrary code.

    DETAILS

    Vulnerable systems:
     * Webcam Watchdog version 3.63 and prior

    Stack-based Buffer Overflow:
    Webcam Watchdog is vulnerable to a remotely exploitable stack based buffer
    overflow which can be triggered via a simple overly long HTTP GET request
    on port 80/tcp.

    A sample request is as follows:
    ---------------------------------------------------
    GET /('a'x234)('BBBB')('XXXX') HTTP/1.1
    User-Agent: WCSAXRView
    Host: 127.0.0.1
    Cache-Control: no-cache

    ---------------------------------------------------

    The above request would cause the saved base pointer to be overwritten
    with 42424242h, and the saved return address to be overwritten with
    58585858h.

    Part of the Vulnerable Code:
    It seems that the executable is compressed or encrypted, so to follow the
    steps detailed below it is best to load the executable and then trace the
    code in the memory, rather than try to disassemble the application
    beforehand.

    At the address, 0040AEB0 a procedure located at offset 0040ADE8 is called.
    The return address 0040AEB5 is saved on the stack at the memory location
    0012F900.

    0040AEA9 56 PUSH ESI
    0040AEAA 8BF1 MOV ESI,ECX
    0040AEAC FF7424 08 PUSH DWORD PTR SS:[ESP+8]
    0040AEB0 E8 33FFFFFF CALL Wsrv.0040ADE8
    0040AEB5 8BC8 MOV ECX,EAX

    In the procedure 0040ADE8, at line 0040AE2A, another procedure (0040B0FC)
    is called, leaving the return address 0040AE2F on the stack at 0012F6D8
    (this saved return address is *not* overwritten however, and the procedure
    later returns without a problem).

    0040AE2A E8 CD020000 CALL Wsrv.0040B0FC
    0040AE2F 85C0 TEST EAX,EAX

    In the procedure 0040B0FC, there is an unchecked string copying routine
    that copies a string (composed of 'Software\Webcam\WatchdogX.' + Our
    Requested WebPage String + '\mycapteng\ch0') into a buffer set out on the
    stack.

    0040B161 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
    0040B164 8BD1 MOV EDX,ECX
    0040B166 2BD0 SUB EDX,EAX
    0040B168 8A1C19 MOV BL,BYTE PTR DS:[ECX+EBX]
    0040B16B 41 INC ECX
    0040B16C 3B4D FC CMP ECX,DWORD PTR SS:[EBP-4]
    0040B16F 885C3A FF MOV BYTE PTR DS:[EDX+EDI-1],BL
    0040B173 ^7C EC JL SHORT Wsrv.0040B161

    This causes the return address placed on the stack at 0012F900 by the call
    made from 0040AEB0 (which called the procedure 0040ADE8) to be completely
    overwritten.

    The procedure 0040B0FC returns successfully, and code execution resumes
    from 0040AE2F. When the procedure 0040ADE8 returns, the overwritten saved
    return address is pop'ed off the stack into the instruction pointer
    register.

    0040AE9F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
    0040AEA2 5F POP EDI
    0040AEA3 5E POP ESI
    0040AEA4 5B POP EBX
    0040AEA5 C9 LEAVE
    0040AEA6 C2 0400 RETN 4

    This can be exploited to allow code execution to continue from an
    arbitrary address that we supply.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:peter4020@hotmail.com> Peter
    Winter-Smith.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Linux Kernel do_mremap Local Privilege Escalation Vulnerability"

    Relevant Pages