SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Genius VideoCAM Vendors:   W-Channel
Genius VideoCAM Snapshot Viewer Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1015839
SecurityTracker URL:  http://securitytracker.com/id/1015839
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 28 2006
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  

Description:   Beford reported vulnerability in the Genius VideoCAM NB driver. A local user can gain elevated privileges.

A local user can press the snapshot button on the webcam to take a picture and load the snapshot viewer window. The snapshot viewer runs SYSTEM privileges. The user can choose the File/Save As menu item, browse to '\windows\system32\', type '*.exe' as the file name, and right click and select open to load a shell with SYSTEM level privileges.

A demonstration exploit screenshot is available at:

http://img159.imageshack.us/img159/5351/pwnt6qq.png

Impact:   A local user can gain System privileges.
Solution:   No solution was available at the time of this entry. The vendor does not plan to issue a fix.
Vendor URL:  www.geniusnet.com.tw/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Genius VideoCAM NB Local Privilege Escalation

Software Vulnerable

Genius VideoCAM NB Driver
http://download.geniusnet.com.tw/CAMERA/webnb.zip

Other genius webcams with the same 'snapshot feature' might be
affected with the same issue, if you have any of those please try to
reproduce this issue.

Affects:  Windows XP / Windows 2000

Proof of concept (omg leet)

http://img159.imageshack.us/img159/5351/pwnt6qq.png

Description

This vuln is very similar to MS04-019 [1] , when you press the
snapshot button on the webcam to take a picture, the snapshot viewer
window appears, the problem is that this application is running with
SYSTEM privileges,so you click file/save as, in the save as dialog you
browse to X:\windows\system32\, type *.exe in the file name, then just
right click and select open, a new shell with SYSTEM privileges
appears. As you can see on the screenshot, there are two cmd.exe
shells, one of those was started through the Run dialog, and the other
through this vuln. To check the user privileges, I used whoami.exe
from W32GnuUtils [2]


[1] http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx
[2] http://unxutils.sourceforge.net/
[3] http://www.milw0rm.com/exploits/350 (example exploit ms04-019)

Vendor contacted
Vendor Response:

1. Regarding the privilige problem, the limited user only can open the
shell, they can't use another functions.

2. Regarding the privilege probelm, the limited user can open the shell but
can't use the functions provided by shell. It should be reasonable.
Moreover, the VideoCam NB has been phased out, our R&D won't pay more effort
to it unless usage bug.

Conclusion

I'm not sure what they mean with "can't use the functions provided by
shell". You only need to add a new admin user with the net command, or
use pwdump to dump the pw hashes, or just install a backdoor/rootkit.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC