SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   webcamXP Vendors:   Darkwet Network
webcamXP Input Validation Flaws Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1006701
SecurityTracker URL:  http://securitytracker.com/id/1006701
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 2 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.02.432, 1.02.535
Description:   Frame4 Security Systems issued an advisory warning that webcamXP contains input validation vulnerabilities in the web-based chat feature. A remote user can conduct cross-site scripting attacks.

A remote user can insert specially crafted text into the message field of the chat web page. Then, when the chat web page is viewed by a target user, arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the webcamXP chat software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The following demonstration exploit message contents is provided:

<script>alert(document.cookie);</script>

It is also reported that a remote user can inserte an arbitrary IFRAME into the message field to cause the IFRAME contents to be loaded onto the chat initiator's browser.

The advisory credits Morning Wood and Anthony Aykut with discovery of these flaws.

The vendor has reportedly been notified.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the webcamXP chat software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.darkwet.net/main.asp?page=webcam/home.html&left=webcam/left.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  FRAME4 SECURITY ADVISORY [FSA-2003:002]




===============================================================================
FRAME4 SECURITY ADVISORY [FSA-2003:002]
-------------------------------------------------------------------------------

PRODUCT            : WebcamXP
PRODUCT/VENDOR URL : http://www.darkwet.net/
TYPE               : Vulnerability / Exploit
IMPACT             : Medium
SUMMARY            : Code Injection Vulnerabilities in WebcamXP Chat Feature
DISCOVERY DATE     : 00/03/2003
PUBLIC RELEASE     : 02/05/2003
AFFECTED VERSION(S): All (as of discovery date)
FIXED VERSION(S)   : None
VENDOR NOTIFIED    : Yes

-------------------------------------------------------------------------------

BACKGROUNDER:

Vendor web site states that WebcamXP is a "powerful webcam utility with an
integrated http server so you don't need to install a web server on your
computer. Works under all windows os and the server port can be changed."

INTRODUCTION:

We have discovered various code injection vulnerabilities in the chat feature
of WebcamXP.

ADVISORY URL:

This advisory is available in its original format at the following URL:
http://www.frame4.com/content/advisories/FSA-2003-002.txt

VENDOR CONTACT:

We have emailed the creator of the program, "wet", on wet@darkwet.net with the
specifics of this vulnerability on the release date of this advisory.

VULNERABILITY DESCRIPTION:

Please refer to the 'Technical Description' section below, for full description
of the problem(s).

VULNERABLE APPLICATION(S)/PACKAGE(S)/VERSION(S):

We have tested these vulnerabilities between two versions; v1.02.432 and the
latest build, v1.02.535. Whereas the chatbox feature on the application side
seems to be pretty immune to code injection (MOST code gets stripped), the web
page portion is far from being safe.

Although the tests have been carried out between two builds of the program, it
is highly possible that other versions behave the same way. The tests were only
carried out using Microsoft Internet Explorer.

SOLUTION/VENDOR INFORMATION/WORKAROUND:

None as yet. Although recently the server portion of the chat feature has been
upgraded (where certain tags get filtered), the problems still seem to exist.

TECHNICAL DESCRIPTION - EXPLOIT/CONCEPT CODE:

The below examples are merely a small portion of what could be possible and in
no way constitute an exhaustive list of potential vulnerabilities.

[001] Code Injection 1

We have ascertained that typing <script>alert(document.cookie);</script> in the
message field on the web page generates a message box whereas this should be
ignored. You can see an actual screen shot of this at the following URL:
http://www.frame4.com/content/advisories/FSA-2003-002-01.jpg

[002] Code Injection 2

Following on from the previous example, we have also noticed that in a similar
manner, an IFRAME can be generated by simply typing the following 'command' in
the message field: <iframe src="http://frame4.com"></iframe>. You can find the
relevant screen shots of this 'feature' at the following URLs:
http://www.frame4.com/content/advisories/FSA-2003-002-01.jpg
http://www.frame4.com/content/advisories/FSA-2003-002-02.jpg
http://www.frame4.com/content/advisories/FSA-2003-002-03.jpg

[003] Code Injection 3

This is the "showstopper". We have discovered that the IFRAME can be "pushed"
onto the chat initiator in the same fashion. In this case, a webcam operator
for example, can inject a script "out" to the user via the internal chat box.
A screen shot of this problem can be seen here:
http://www.frame4.com/content/advisories/FSA-2003-002-04.jpg

[004] "Malformed Code" Injection

Whereas the command <iframe src="http://frame4.com"></iframe> creates a perfect
IFRAME (see above), if we issue (by accident) the same command in the "wrong"
manner, i.e.:

<script>alert(document.cookie);</script><iframe src=http://frame4.com</iframe>

the page goes into some kind of 'loop'. The message box gets generated and then
we DO get an IFRAME (and rightly, you get an 404 as the content) but the scroll
bars disappear and the page just stops responding.

Closing the browser and re-opening at the chat URL has absolutely no effect, as
the above loop gets repeated and the situation does not change until the other
party resets or refreshes their page. A screen shot of this problem can be seen
here: http://www.frame4.com/content/advisories/FSA-2003-002-05.jpg

CREDITS:

The vulnerabilities outlined in this advisory and accompanying sample code have
been discovered by a joint operation between Morning Wood and Anthony Aykut. We
have NOT circulated any of our findings through the underground community, and,
present them here as a PUBLIC DISCLOSURE.

Morning Wood
morning_wood@thepub.co.za
Morning Wood, Inc
http://take.candyfrom.us/

Anthony Aykut
anthony.aykut@frame4.com
Frame4 Security Systems
http://www.frame4.com

REFERENCES:

None.

ABOUT:

Frame4 Security Systems is a new security partner, empowering clients with the
necessary knowledge and products to protect and secure their computer systems.

Headquartered in The Netherlands, Frame4 can be reached at +31(0)172-515901 or
on the Web at http://www.frame4.com/.

DISCLAIMER:

This advisory is a Frame4 Security Systems ("Frame4") publication, all rights
reserved (c) 2003. You may (re-)distribute the text as long as the content is
not changed in any way and with this header text intact. If you want to serve
this paper on your web site/FTP/Newsgroup/etc., we encourage you to do so, as
long as no changes are made without the prior permission of the author(s), no
fees are charged and proper credit is given.

IMPORTANT -- THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. To the maximum
extent permitted by applicable law, in no event shall Frame4 Security Systems
be liable for any damages whatsoever, (including, without limitation, damages
for loss of any business profits, business interruption, loss of any business
information, or other pecuniary loss) arising out of the use, or inability to
use any software, and/or procedures outlined in this document, even if Frame4
Security Systems has been advised of the possibility of such damage(s). There
are NO warranties with regard to this information.

This advisory is the property of Frame4 Security Systems, all rights reserved.
Copyright (c) 1999-2003 Frame4 Security Systems -- http://www.frame4.com/
===============================================================================



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC