Webcam Watchdog Stack Overflow Vulnerability

############################################

Credit:
Author     : Peter Winter-Smith

Software:
Packages   : Webcam Watchdog
Version    : 3.63 and below
Vendor     : Webcam Corp.
Vendor Url : http://www.webcamsoft.com/en/watchdog.html

Vulnerability:
Bug Type   : Stack-based Buffer Overflow
Severity   : Highly Critical
              + Remote Code Execution

1. Description of Software

"Watchdog is simply your best choice if you need to record video over a
long time period. You can setup Watchdog to initiate video recording when
there's a motion detected. Watchdog can also alert you by emailing you the
captured image and play the alarm sound."
 - Vendor's Website

"Webcam Watchdog is a powerful yet easy to use software to turn your PC
into an ultimate remote surveillance machine. Webcam Watchdog provides you
around-the-clock digital video recording with remote access capability.
With the standard web interface, you can simply point the browser to your
host PC to watch what's happening on the remote site."
 - http://www.perfectdownloads.com


2. Bug Information

 (a). Stack-based Buffer Overflow

Webcam Watchdog is vulnerable to a remotely exploitable stack based buffer
overflow which can be triggered via a simple overly long HTTP GET request
on port 80/tcp.

A sample request is as follows:

---------------------------------------------------
GET /('a'x234)('BBBB')('XXXX') HTTP/1.1
User-Agent: WCSAXRView
Host: 127.0.0.1
Cache-Control: no-cache


---------------------------------------------------

The above request would cause the saved base pointer to be overwritten
with 42424242h, and the saved return address to be overwritten with
58585858h.


NOTE:
Investigation shows that this flaw can be exploited regardless of whether
the internal Webcam Watchdog web interface password protection is set or
not.


    (i). Part of the Vulnerable Code

It seems that the executable is compressed or encrypted, so to follow the
steps detailed below it is best to load the executable and then trace the
code in the memory, rather than try and disassemble the application
beforehand.


At the address 0040AEB0 a procedure located at offset 0040ADE8 is called.
The return address 0040AEB5 is saved on the stack at the memory location
0012F900.


0040AEA9   56               PUSH ESI
0040AEAA   8BF1             MOV ESI,ECX
0040AEAC   FF7424 08        PUSH DWORD PTR SS:[ESP+8]
0040AEB0   E8 33FFFFFF      CALL Wsrv.0040ADE8
0040AEB5   8BC8             MOV ECX,EAX


In the procedure 0040ADE8, at line 0040AE2A, another procedure (0040B0FC)
is called, leaving the return address 0040AE2F on the stack at 0012F6D8
(this saved return address is *not* overwritten however, and the procedure
later returns without a problem).


0040AE2A   E8 CD020000      CALL Wsrv.0040B0FC
0040AE2F   85C0             TEST EAX,EAX


In the procedure 0040B0FC, there is an unchecked string copying routine
which copies a string (composed of 'Software\Webcam\WatchdogX.' + Our
Requested WebPage String + '\mycapteng\ch0') into a buffer set out on the
stack.


0040B161   8B5D 08          MOV EBX,DWORD PTR SS:[EBP+8]
0040B164   8BD1             MOV EDX,ECX
0040B166   2BD0             SUB EDX,EAX
0040B168   8A1C19           MOV BL,BYTE PTR DS:[ECX+EBX]
0040B16B   41               INC ECX
0040B16C   3B4D FC          CMP ECX,DWORD PTR SS:[EBP-4]
0040B16F   885C3A FF        MOV BYTE PTR DS:[EDX+EDI-1],BL
0040B173  ^7C EC            JL SHORT Wsrv.0040B161


This causes the return address placed on the stack at 0012F900 by the call
made from 0040AEB0 (which called the procedure 0040ADE8) to be completely
overwritten!

The procedure 0040B0FC returns successfully, and code execution resumes
from 0040AE2F. When the procedure 0040ADE8 returns, the overwritten saved
return address is pop'ed off the stack into the instruction pointer
register.


0040AE9F   8B45 FC          MOV EAX,DWORD PTR SS:[EBP-4]
0040AEA2   5F               POP EDI
0040AEA3   5E               POP ESI
0040AEA4   5B               POP EBX
0040AEA5   C9               LEAVE
0040AEA6   C2 0400          RETN 4


This can be exploited to allow code execution to continue from an
arbitrary address which we supply!


3. Proof of Concept Code

It is my intent to allow the Webcam Watchdog development team to fix their
software before I make any exploit code public. Any exploit code which I
may release can be downloaded from:

 - http://www.elitehaven.net/exploits.htm


4. Patches - Workarounds

None exist as of 03/01/2004.


5. Credits

    The discovery, analysis and exploitation of this flaw is a result of
research carried out by Peter Winter-Smith. I would ask that you do not
regard any of the analysis to be 'set in stone', and that if investigating
this flaw you back trace the steps detailed earlier for yourself.

Greets and thanks to:
    David and Mark Litchfield, JJ Gray (Nexus), Todd and all the
packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),
pv8man, nick k., Joel J. and Martine.


 o This document should be mirrored at:
    - http://www.elitehaven.net/webcamwatchdog.txt