CamFrog Password Disclosure Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CamFrog Password Disclosure Vulnerability
From: zigmatn@xxxxxxxxx
Date: Fri, 6 Feb 2009 13:23:44 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Advisory:

CamFrog Video Chat Password Disclosure Vulnerability.

Versions Affected:

CamFrog Video Chat Version 5.0(Free one)
Camfrog Pro 5.2 (paied one $49.95)

Release Date:

7 February 2009

Description:

CamFrog Video Chat 5.0 and Camfrog Pro 5.2 suffers from a Local password 
disclosure vulnerability due to the leak of proper encryption of credentials in 
the process level .In fact,the credentials can be extracted in clear text by 
dumping process memory of the live camfrog process when a connection is 
established.

Note : This vulnerability can be exploited by Social Engineering tricks such as 
fooling the user to execute malicious code wich would dump the memory of the 
process.

Proof of Concept:

http://nullarea.net/sploits/c/camfrog/poc.pdf

Credits:

Zigma [zigmatn{a.t}gmail.com]
http://NullArea.NET

Time Line Notification:

28-01-209 -- Contacted Via Email , Though no response till now

Prev by Date: iDefense Security Advisory 02.06.09: HP Network Node Manager Multiple Command Injection Vulnerabilities
Next by Date: iDefense Security Advisory 02.06.09: HP Network Node Manager Multiple Information Disclosure Vulnerabilities
Previous by thread: iDefense Security Advisory 02.06.09: HP Network Node Manager Multiple Command Injection Vulnerabilities
Next by thread: iDefense Security Advisory 02.06.09: HP Network Node Manager Multiple Information Disclosure Vulnerabilities
Index(es):
- Date
- Thread