<<< Date Index >>>     <<< Thread Index >>>

Willings WebCam - Password Disclosure Issue




-----------------------------
Software: Willings WebCam
Corporation: Illustrate
Revision Date: May 09, 2005
Version: 2.8
Tested on: Windows 2000 SP4
Vulnerability: Local Password Disclosure Issue
----------------------------------------------


BACKGROUND
----------
Willing Webcam is a simple, yet fully-featured software tool designed to help 
you capture 
streaming video and snapshots and publish them on your website. To make your 
video production 
shine, you can enhance it with comments, date and time stamps, watermarks, and 
various live 
video effects. You can also create a digital album where images and videos are 
organized 
for fast retrieval and viewing. Uses a motion control detection sensor that 
wakes up your 
web camera at the slightest motion in the room. The sensor can trigger a 
variety of actions, 
including email sending, movie saving, FTP uploading, sound alarm, or a launch 
of any 
specified application. In addition to the motion sensor, the program has a 
time-lapse option. 
It allows you to record video at specified time intervals.
Source: www.willingsoftware.com


VULNERABLE PRODUCTS
-------------------
Willings WebCam <= 2.8
Willings WebCam Lite <= 2.8


CONTEXT
-------
In the option settings, you can define an administrator password to protect the 
local 
configuration access. If the password is forgotten, and that you decide to 
reinstall 
for re-initialize it... damned it doesn't work. This bug was discovered by 
Secubox Labs 
thanks to a customer who had lost his password. The recovery tool realisation 
allowed us 
to put the stress on a weakness software.


VULNERABILITY
-------------
The problem resides in the fact that the application will execute a function 
that loads 
the password in static memory before the user has even identified himself.
A simple read operation at this address will reveal the password.


**********************************
Memory: Willings WebCam ( ww.exe )
AllocationBase: 7B930000 - Read/Write - Private
-----------------------------------------------------------------------\
00 00 00 44 45 47 65 74 42 6C 6F 63 6B 46 6D 74 ; ...DEGetBlockFmt     |
4E 61 6D 65 73 50 61 72 61 6D 00 00 00 00 00 40 ; NamesParam.....@     |
00 00 00 00 00 00 00 31 00 00 00 44 45 47 65 74 ; .......1...DEGet     |
42 6C 6F 63 6B 46 6D 74 4E 61 6D 65 73 50 61 72 ; BlockFmtNamesPar     |
61 6D 2E 44 45 47 65 74 42 6C 6F 63 6B 46 6D 74 ; am.DEGetBlockFmt     |
4E 61 6D 65 73 50 61 72 61 6D 2E 31 00 00 00 20 ; NamesParam.1...      |
00 00 00 01 00 00 00 13 00 00 00 41 63 74 69 6F ; ...........Actio     |
6E 4E 65 74 77 6F 72 6B 43 61 6D 65 72 61 00 20 ; nNetworkCamera.      
|____________
00 00 00 01 00 00 00 07 00 00 00 53 65 63 75 42 ; ...........SecuB  <--/ PLAIN 
TEXT \
6F 78 00 4E 44 20 50 41 53 53 57 4F 52 44 00 20 ; ox.ND PASSWORD.   
<--\____________/
00 00 00 D0 8A 83 00 80 68 9F 7B 01 00 00 00 04 ; ...Ð??.?h?{.....     |
00 00 00 65 78 00 00 65 50 61 72 61 6D 2E 44 40 ; ...ex..eParam.D@     |
00 00 00 01 00 00 00 1F 00 00 00 44 69 72 65 63 ; ...........Direc     |
74 58 20 76 69 64 65 6F 20 73 6F 75 72 63 65 2E ; tX video source.     |
20 20 43 74 72 6C 2B 46 31 30 00 44 65 6E 61 6C ;   Ctrl+F10.Denal     |
69 44 6C 67 39 38 2E 44 65 6E 61 6C 69 44 6C 00 ; iDlg98.DenaliDl.     |
01 00 00 68 35 7B 00 00 6E 93 7B 48 CF 94 7B 01 ; ...h5{..n?{HÏ?{.     |
-----------------------------------------------------------------------/

Class is "TFormJB" and Window name "Input Password"
Start -> 7b94cf68 - 47  - inc edi
The end, just find -> "ND PASSWORD"
***************************************************



VENDOR STATUS
-------------
Vendor have been contacted: 6 may 2005



CREDITS
----------------------
SecuBox Labs - fRoGGz
unsecure[at]writeme[dot]com
----------------------------