Willings WebCam - Password Disclosure Issue
-----------------------------
Software: Willings WebCam
Corporation: Illustrate
Revision Date: May 09, 2005
Version: 2.8
Tested on: Windows 2000 SP4
Vulnerability: Local Password Disclosure Issue
----------------------------------------------
BACKGROUND
----------
Willing Webcam is a simple, yet fully-featured software tool designed to help
you capture
streaming video and snapshots and publish them on your website. To make your
video production
shine, you can enhance it with comments, date and time stamps, watermarks, and
various live
video effects. You can also create a digital album where images and videos are
organized
for fast retrieval and viewing. Uses a motion control detection sensor that
wakes up your
web camera at the slightest motion in the room. The sensor can trigger a
variety of actions,
including email sending, movie saving, FTP uploading, sound alarm, or a launch
of any
specified application. In addition to the motion sensor, the program has a
time-lapse option.
It allows you to record video at specified time intervals.
Source: www.willingsoftware.com
VULNERABLE PRODUCTS
-------------------
Willings WebCam <= 2.8
Willings WebCam Lite <= 2.8
CONTEXT
-------
In the option settings, you can define an administrator password to protect the
local
configuration access. If the password is forgotten, and that you decide to
reinstall
for re-initialize it... damned it doesn't work. This bug was discovered by
Secubox Labs
thanks to a customer who had lost his password. The recovery tool realisation
allowed us
to put the stress on a weakness software.
VULNERABILITY
-------------
The problem resides in the fact that the application will execute a function
that loads
the password in static memory before the user has even identified himself.
A simple read operation at this address will reveal the password.
**********************************
Memory: Willings WebCam ( ww.exe )
AllocationBase: 7B930000 - Read/Write - Private
-----------------------------------------------------------------------\
00 00 00 44 45 47 65 74 42 6C 6F 63 6B 46 6D 74 ; ...DEGetBlockFmt |
4E 61 6D 65 73 50 61 72 61 6D 00 00 00 00 00 40 ; NamesParam.....@ |
00 00 00 00 00 00 00 31 00 00 00 44 45 47 65 74 ; .......1...DEGet |
42 6C 6F 63 6B 46 6D 74 4E 61 6D 65 73 50 61 72 ; BlockFmtNamesPar |
61 6D 2E 44 45 47 65 74 42 6C 6F 63 6B 46 6D 74 ; am.DEGetBlockFmt |
4E 61 6D 65 73 50 61 72 61 6D 2E 31 00 00 00 20 ; NamesParam.1... |
00 00 00 01 00 00 00 13 00 00 00 41 63 74 69 6F ; ...........Actio |
6E 4E 65 74 77 6F 72 6B 43 61 6D 65 72 61 00 20 ; nNetworkCamera.
|____________
00 00 00 01 00 00 00 07 00 00 00 53 65 63 75 42 ; ...........SecuB <--/ PLAIN
TEXT \
6F 78 00 4E 44 20 50 41 53 53 57 4F 52 44 00 20 ; ox.ND PASSWORD.
<--\____________/
00 00 00 D0 8A 83 00 80 68 9F 7B 01 00 00 00 04 ; ...Ð??.?h?{..... |
00 00 00 65 78 00 00 65 50 61 72 61 6D 2E 44 40 ; ...ex..eParam.D@ |
00 00 00 01 00 00 00 1F 00 00 00 44 69 72 65 63 ; ...........Direc |
74 58 20 76 69 64 65 6F 20 73 6F 75 72 63 65 2E ; tX video source. |
20 20 43 74 72 6C 2B 46 31 30 00 44 65 6E 61 6C ; Ctrl+F10.Denal |
69 44 6C 67 39 38 2E 44 65 6E 61 6C 69 44 6C 00 ; iDlg98.DenaliDl. |
01 00 00 68 35 7B 00 00 6E 93 7B 48 CF 94 7B 01 ; ...h5{..n?{HÏ?{. |
-----------------------------------------------------------------------/
Class is "TFormJB" and Window name "Input Password"
Start -> 7b94cf68 - 47 - inc edi
The end, just find -> "ND PASSWORD"
***************************************************
VENDOR STATUS
-------------
Vendor have been contacted: 6 may 2005
CREDITS
----------------------
SecuBox Labs - fRoGGz
unsecure[at]writeme[dot]com
----------------------------