SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Video Cam Server Vendors:   Raysoft
Video Cam Server Lets Remote Users Traverse the Directory, Determine the Installation Path, and Deny Service
SecurityTracker Alert ID:  1013860
SecurityTracker URL:  http://securitytracker.com/id/1013860
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 2 2005
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 1.0.0
Description:   Donato Ferrante reported several vulnerabilities in Video Cam Server. A remote user can obtain files from the target system. A remote user can also determine the installation path and deny service.

A remote user can obtain files located outside of the web document directory by supplying a request containing '..\' directory traversal characters. A demonstration exploit URL is provided:

http://[target]/..\..\..\..\..\..\..\..\..\..\..\windows\system.ini

A remote user can access the following administration page to shutdown the camera or the web service:

http://[target]/admin.html

A remote user can request a non-existent page to determine the installation path. A demonstration exploit is provided:

http://[target]/%20

The vendor has been notified.

Impact:   A remote user can obtain files from the target system.

A remote user can determine the installation path.

A remote user can shutdown the camera and/or the web service.

Solution:   No solution was available at the time of this entry.
Vendor URL:  vcs.raybase.com/ (Links to External Site)
Cause:   Access control error, Authentication error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple Vulnerabilities in Video Cam Server 1.0.0



                           Donato Ferrante


Application:  Video Cam Server
              http://vcs.raybase.com/

Version:      1.0.0

Bugs:         Multiple Vulnerabilities

Date:         02-May-2005

Author:       Donato Ferrante
              e-mail: fdonato@autistici.org
              web:    www.autistici.org/fdonato



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"Video Cam Server (VCS) is a server for publishing the image taken from
a Video Camera (especially Web Cam) connected to it. It will be very
useful for remote monitoring your home, office or other environment."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
2. The bugs:
-------------

The bugs are located into the built-in webserver.
By default no HTTP Authentication is set so a malicious user can:

i.
     (path disclosure) know the remote current path, by sending an
     http request for an unavailable page.

ii.
     (directory traversal) go out the document root assigned to the
     webserver by using common malicious patterns like: ".." into
     http requests, and see/download all the files available on the
     remote system.

iii.
     (denial of service) shutdown http-server and/or camera, by using
     admin's control page that it's not properly managed.


NOTE:

Reported vulnerabilities are also valid if the HTTP Authentication is
set, but in this case the malicious user must obtain login information.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerabilities:

i.
    http://[host]/%20


ii.
    http://[host]/..\..\..\..\..\..\..\..\..\..\..\windows\system.ini

    or connect to the webserver and send a raw request like:

    GET /../../../../../../../../../../../windows/system.ini HTTP/1.1


iii.
    http://[host]/admin.html



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

Vendor has been notified.
Bugs will be probably fixed in the next release.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC