Buffer Overflow in WebCam32

Buffer Overflow of Kolban WebCam32 Program
Reported September 1, 1998 by ISS


  • Machines running Kolban WebCam32  v4.5.1 to v4.8.3 beta 3


As received by ISS:


ISS Vulnerability Alert
September 1, 1998

Remote Buffer Overflow in the Kolban Webcam32 Program


There is a vulnerability present in Kolban"s Webcam32 v4.5.1 to v4.8.3 beta 3. This vulnerability allows a remote attacker to overflow a buffer that can result in crashing the Webcam32 software, or more seriously to execute code on the system running Webcam32. This allows complete control over a Windows 95/98 system, and user level access to a Windows NT system.

Recommended Action:

Users should upgrade to webcam32 4.8.3 (or newer).

Registered users can download a fixed version of Webcam32 from:


The password to this site is provided as part of the software registration process for this software.

Unregistered users can download a fixed version of Webcam32 from:


Network administrators can protect internal machines from an external attack by filtering all incoming connections to TCP port 25867.

Determining If You Are Vulnerable:

If you are running Webcam32 by Neil Kolban, go to the Help menu and select "About webcam32". If the version number is between v4.5.1 and v4.8.3 beta 3, inclusive, your system is vulnerable to this attack.

Network administrators should scan their network for systems listening to TCP port 25867. Systems listening on this port are likely to be vulnerable to this attack, although new versions of Webcam32 with the remote administration feature explicitly enabled on the default port may also be listening and are not vulnerable.


The Webcam32 software acts as a stand-alone web server to present a real-time video feed to a standard web browser. Part of this web server contains a remote administration feature that allows configuration via a web browser. The remote administration feature fails to properly check the input size, allowing a remote attacker to craft a URL that will overflow an internal buffer on the stack.

Buffer overflows are easily exploited to crash the software containing the overflow. An experienced attacker can construct (and distribute) an exploit that will execute arbitrary code on the remote system. Although this serious attack is less frequently seen on Windows than on Unix systems, detailed instructions on how to construct this attack for a Windows application has been distributed by a well-known hacker group. 

ISS X-Force expects to see code execution type buffer overflow exploits on Windows more widely available in the future. As a consequence, administrators should be especially vigilant in correcting buffer overflow vulnerabilities.

 Additional Information:

This security issue was discovered by David Meltzer ([email protected]) of ISS X-Force. ISS X-Force would like to thank Neil Kolban for his response and handling of this vulnerability.


Copyright (c) 1998 by Internet Security Systems, Inc.

ISS vulnerability reports are public notifications of vulnerabilities discovered and researched by the ISS X-Force that have a smaller scope of impact than vulnerabilities published in an ISS Advisory. Although this vulnerability is very serious, there is only a small number of vulnerable systems, limiting the impact this vulnerability may have upon the Internet as a whole. Permission is hereby granted for the redistribution of this Vulnerability Report electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail [email protected] for permission.


The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user"s own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT"s PGP key server and PGP.com"s key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:

X-Force <[email protected]> of Internet Security Systems, Inc.


Version: 2.6.3a

Charset: noconv




To learn more about NT Security concerns, subscribe to NTSD

- Originally reported by ISS
- Posted on The NT Shop on September 1, 1998
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.