what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

tcambof.txt

tcambof.txt
Posted Feb 25, 2005
Authored by Luigi Auriemma | Site aluigi.altervista.org

TrackerCam versions 5.12 and below are susceptible to a User-Agent buffer overflow, PHP argument buffer overflow, directory traversal, path disclosure, html injection to its log file, information disclosure, and remote denial of service flaws.

tags | exploit, remote, denial of service, overflow, php, info disclosure
SHA-256 | 8306b09e3c8f0acd60d146d50857d197c34a8af01ed35b3319dea96dae7af9e0

tcambof.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: TrackerCam
http://www.trackercam.com
Versions: <= 5.12
Platforms: Windows
Bugs: A] User-Agent buffer-overflow
B] PHP argument buffer-overflow
C] directory traversal and full path disclosure
D] html injection in log file
E] informations disclosure
F] crash caused by multiple error messages
Exploitation: remote
Date: 18 Feb 2005
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


TrackerCam is a webcam http server with the possibility to be
publically and easily visible through the TrackerCam community page:
http://www.trackercam.com/livecams


#######################################################################

=======
2) Bugs
=======

-----------------------------
A] User-Agent buffer-overflow
-----------------------------

An HTTP request containing an User-Agent field longer than 216 bytes
leads to a buffer-overflow.


-------------------------------
B] PHP argument buffer-overflow
-------------------------------

As above but this buffer-overflow happens when the server handles an
argument longer than 256 bytes passed to any PHP script.
Example:
http://host:8090/MessageBoard/messages.php?aaaaaaaaaaa...aaaa


-----------------------------------------------
C] directory traversal and full path disclosure
-----------------------------------------------

TrackerCam has a PHP script accessible by anyone (bug E) that is used
to watch the log files from the web interface.
The problem is that the log filename is passed through a PHP argument
and there are no security checks in the script so an attacker can
choose what file to read and moreover from what location since is
possible to use a directory traversal attack.
If the file doesn't exist or no arguments are passed will be showed the
full physical path on which is located the ComGetLogFile.php3 script.
Both slash, backslash and their hex values are allowed.
Example:

http://host:8090/tuner/ComGetLogFile.php3?fn=../../../../windows/system.ini


-----------------------------
D] html injection in log file
-----------------------------

Any login (correct or wrong) is logged in the current log file of the
month. As already said this file is also visible through a web browser
allowing an attacker to put HTML or any other code supported by the
admin's browser in the log file through a login request.


--------------------------
E] informations disclosure
--------------------------

As said in bug C, is possible to reach the ComGetLogFile.php3 script
without restrictions in fact also the servers protected by passwords
have ever some interesting zones accessible by anyone and the log file
is just one of those, or at least that causing a threat.
In this file in fact are logged both wrong and correct logins so is
possible to guess the working passwords (that naturally are not stored
in the file), know what IP addresses have accessed the server or
retrieve other small informations.
Each log file contains the logins of the entire month so an example of
log filename for the current month is:
http://host:8090/tuner/ComGetLogFile.php3?fn=Eye2005_02.log


------------------------------------------
F] crash caused by multiple error messages
------------------------------------------

If the server receives a negative Content-Length, it will show a simple
MessageBox with an "insufficient memory" error and the same happens for
any subsequent bad request like that.
After about 300 of these consecutive errors the server crashs.

Another similar problem (just to take note, but not so important)
happens after the sending of about 10 megabytes of data.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/tcambof.zip


#######################################################################

======
4) Fix
======


No fix.
The developers don't seem interested to fix these bugs.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close