Multiple Vulnerabilities of PY Software Active Webcam WebServer By Sowhat 04.Jan.2005 http://secway.org/advisory/ad20050104.txt Product: PY Software Active Webcam 5.5 Vendor: PY Software, Inc. (1) Introduction Active WebCam is a popular shareware program for capturing video streams from video devices for Microsoft Windows platforms. For more information: www.pysoft.com (2) Details: There are multiple vulnerabilities founded in Pysoft Active Webcam WebServer,including Denial of Service and Information Disclosure. <1> Floppy Disk request Denial of Service http://172.16.15.8:8080/A:\a.txt This request will force the webcam.exe to access the A:\a.txt, And if there is no floppy disk in the A: dirver, the system will popup a message like "There is no disk in the drive. Please insert a disk into drive A: ". Before the administrator press "Cancel" or "Yes",the other request will be paused,that means the other user cannt Access the HTTP Server,thus leading to a Denial Of Service. <2> Filelist.html Denial of service http://172.16.15.8:8080/Filelist.html When requesting the filelist.html,the target's CPU usage will be 100%,and it seems that Explorer.exe use 95%,I dont know why :) <3> Physical path Disclosure http://172.16.15.8:8080/a The Server will return "The requested file: C:\Program Files\Active WebCam\images\a\ was not found." <4> File Disclosure The http server returns the different result between an existed file and a non-exsit file. http://172.16.15.8:8080/c:\nonexsit.txt the HTTP Server returns "Active WebCam cannot find this file" http://172.16.15.8:8080/c:\boot.ini the HTTP Server returns "HTTP 403 Forbiden" Thus leading to System information disclosure ,and can be used to verify whether some particular software is installed,for example : http://172.16.15.8:8080/C:\Snort\bin\snort.exe will disclosure whether a snort is installed on the server,and give more useful information to the attacker. <5> Memory exhaust Denial of service It seems that webcam http server cannt correctly release the memory and thus lead to a denial of service. Simply connect() and send() a http request,webcam.exe will eat at least 52k memory,and send the http request thousands times,the system will encounter a Memory exhaust. The webcam.exe will crash ,or the http server will automaticlly continuse restart The following information was found in System Event Log, "Access violation at address 00402254 in module 'WebCam.exe'. Write of address FE171055." "Invalid pointer operation." (3) Vendor Reply Reported on 2005.03.05,No reply yet. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/