Multiple vulnerabilities in TrackerCam 5.12
#######################################################################
Luigi Auriemma
Application: TrackerCam
http://www.trackercam.com
Versions: <= 5.12
Platforms: Windows
Bugs: A] User-Agent buffer-overflow
B] PHP argument buffer-overflow
C] directory traversal and full path disclosure
D] html injection in log file
E] informations disclosure
F] crash caused by multiple error messages
Exploitation: remote
Date: 18 Feb 2005
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
TrackerCam is a webcam http server with the possibility to be
publically and easily visible through the TrackerCam community page:
http://www.trackercam.com/livecams
#######################################################################
=======
2) Bugs
=======
-----------------------------
A] User-Agent buffer-overflow
-----------------------------
An HTTP request containing an User-Agent field longer than 216 bytes
leads to a buffer-overflow.
-------------------------------
B] PHP argument buffer-overflow
-------------------------------
As above but this buffer-overflow happens when the server handles an
argument longer than 256 bytes passed to any PHP script.
Example:
http://host:8090/MessageBoard/messages.php?aaaaaaaaaaa...aaaa
-----------------------------------------------
C] directory traversal and full path disclosure
-----------------------------------------------
TrackerCam has a PHP script accessible by anyone (bug E) that is used
to watch the log files from the web interface.
The problem is that the log filename is passed through a PHP argument
and there are no security checks in the script so an attacker can
choose what file to read and moreover from what location since is
possible to use a directory traversal attack.
If the file doesn't exist or no arguments are passed will be showed the
full physical path on which is located the ComGetLogFile.php3 script.
Both slash, backslash and their hex values are allowed.
Example:
http://host:8090/tuner/ComGetLogFile.php3?fn=../../../../windows/system.ini
-----------------------------
D] html injection in log file
-----------------------------
Any login (correct or wrong) is logged in the current log file of the
month. As already said this file is also visible through a web browser
allowing an attacker to put HTML or any other code supported by the
admin's browser in the log file through a login request.
--------------------------
E] informations disclosure
--------------------------
As said in bug C, is possible to reach the ComGetLogFile.php3 script
without restrictions in fact also the servers protected by passwords
have ever some interesting zones accessible by anyone and the log file
is just one of those, or at least that causing a threat.
In this file in fact are logged both wrong and correct logins so is
possible to guess the working passwords (that naturally are not stored
in the file), know what IP addresses have accessed the server or
retrieve other small informations.
Each log file contains the logins of the entire month so an example of
log filename for the current month is:
http://host:8090/tuner/ComGetLogFile.php3?fn=Eye2005_02.log
------------------------------------------
F] crash caused by multiple error messages
------------------------------------------
If the server receives a negative Content-Length, it will show a simple
MessageBox with an "insufficient memory" error and the same happens for
any subsequent bad request like that.
After about 300 of these consecutive errors the server crashs.
Another similar problem (just to take note, but not so important)
happens after the sending of about 10 megabytes of data.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/tcambof.zip
#######################################################################
======
4) Fix
======
No fix.
The developers don't seem interested to fix these bugs.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org