[VulnWatch] Webcam Watchdog Stack Overflow Vulnerability

• Previous message: advisory_at_security-corporation.com: "[VulnWatch] [SCSA-025] Invision Power Board SQL Injection Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugs@securitytracker.com, bugtraq@securityfocus.com, news@securiteam.com, vuln@secunia.com, vuln@security.nnov.ru, vulndb@securityfocus.com, vulnwatch@vulnwatch.org
Date: Sat, 03 Jan 2004 03:11:29 +0000

Webcam Watchdog Stack Overflow Vulnerability

############################################

Credit:
Author : Peter Winter-Smith

Software:
Packages : Webcam Watchdog
Version : 3.63 and below
Vendor : Webcam Corp.
Vendor Url : http://www.webcamsoft.com/en/watchdog.html

Vulnerability:
Bug Type : Stack-based Buffer Overflow
Severity : Highly Critical
              + Remote Code Execution

1. Description of Software

"Watchdog is simply your best choice if you need to record video over a
long time period. You can setup Watchdog to initiate video recording when
there's a motion detected. Watchdog can also alert you by emailing you the
captured image and play the alarm sound."
- Vendor's Website

"Webcam Watchdog is a powerful yet easy to use software to turn your PC
into an ultimate remote surveillance machine. Webcam Watchdog provides you
around-the-clock digital video recording with remote access capability.
With the standard web interface, you can simply point the browser to your
host PC to watch what's happening on the remote site."
- http://www.perfectdownloads.com

2. Bug Information

(a). Stack-based Buffer Overflow

Webcam Watchdog is vulnerable to a remotely exploitable stack based buffer
overflow which can be triggered via a simple overly long HTTP GET request
on port 80/tcp.

A sample request is as follows:

---------------------------------------------------
GET /('a'x234)('BBBB')('XXXX') HTTP/1.1
User-Agent: WCSAXRView
Host: 127.0.0.1
Cache-Control: no-cache

---------------------------------------------------

The above request would cause the saved base pointer to be overwritten
with 42424242h, and the saved return address to be overwritten with
58585858h.

NOTE:
Investigation shows that this flaw can be exploited regardless of whether
the internal Webcam Watchdog web interface password protection is set or
not.

    (i). Part of the Vulnerable Code

It seems that the executable is compressed or encrypted, so to follow the
steps detailed below it is best to load the executable and then trace the
code in the memory, rather than try and disassemble the application
beforehand.

At the address 0040AEB0 a procedure located at offset 0040ADE8 is called.
The return address 0040AEB5 is saved on the stack at the memory location
0012F900.

0040AEA9 56 PUSH ESI
0040AEAA 8BF1 MOV ESI,ECX
0040AEAC FF7424 08 PUSH DWORD PTR SS:[ESP+8]
0040AEB0 E8 33FFFFFF CALL Wsrv.0040ADE8
0040AEB5 8BC8 MOV ECX,EAX

In the procedure 0040ADE8, at line 0040AE2A, another procedure (0040B0FC)
is called, leaving the return address 0040AE2F on the stack at 0012F6D8
(this saved return address is *not* overwritten however, and the procedure
later returns without a problem).

0040AE2A E8 CD020000 CALL Wsrv.0040B0FC
0040AE2F 85C0 TEST EAX,EAX

In the procedure 0040B0FC, there is an unchecked string copying routine
which copies a string (composed of 'Software\Webcam\WatchdogX.' + Our
Requested WebPage String + '\mycapteng\ch0') into a buffer set out on the
stack.

0040B161 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
0040B164 8BD1 MOV EDX,ECX
0040B166 2BD0 SUB EDX,EAX
0040B168 8A1C19 MOV BL,BYTE PTR DS:[ECX+EBX]
0040B16B 41 INC ECX
0040B16C 3B4D FC CMP ECX,DWORD PTR SS:[EBP-4]
0040B16F 885C3A FF MOV BYTE PTR DS:[EDX+EDI-1],BL
0040B173 ^7C EC JL SHORT Wsrv.0040B161

This causes the return address placed on the stack at 0012F900 by the call
made from 0040AEB0 (which called the procedure 0040ADE8) to be completely
overwritten!

The procedure 0040B0FC returns successfully, and code execution resumes
from 0040AE2F. When the procedure 0040ADE8 returns, the overwritten saved
return address is pop'ed off the stack into the instruction pointer
register.

0040AE9F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0040AEA2 5F POP EDI
0040AEA3 5E POP ESI
0040AEA4 5B POP EBX
0040AEA5 C9 LEAVE
0040AEA6 C2 0400 RETN 4

This can be exploited to allow code execution to continue from an
arbitrary address which we supply!

3. Proof of Concept Code

It is my intent to allow the Webcam Watchdog development team to fix their
software before I make any exploit code public. Any exploit code which I
may release can be downloaded from:

- http://www.elitehaven.net/exploits.htm

4. Patches - Workarounds

None exist as of 03/01/2004.

5. Credits

    The discovery, analysis and exploitation of this flaw is a result of
research carried out by Peter Winter-Smith. I would ask that you do not
regard any of the analysis to be 'set in stone', and that if investigating
this flaw you back trace the steps detailed earlier for yourself.

Greets and thanks to:
    David and Mark Litchfield, JJ Gray (Nexus), Todd and all the
packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),
pv8man, nick k., Joel J. and Martine.

o This document should be mirrored at:
    - http://www.elitehaven.net/webcamwatchdog.txt

_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection
http://www.msn.co.uk/specials/btbroadband

• Previous message: advisory_at_security-corporation.com: "[VulnWatch] [SCSA-025] Invision Power Board SQL Injection Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]