Buffer Overflow in WebCam32

Buffer Overflow of Kolban WebCam32 Program
Reported September 1, 1998 by ISS

VERSIONS AFFECTED

  • Machines running Kolban WebCam32  v4.5.1 to v4.8.3 beta 3

DESCRIPTION

As received by ISS:

-----BEGIN PGP SIGNED MESSAGE-----

ISS Vulnerability Alert
September 1, 1998

Remote Buffer Overflow in the Kolban Webcam32 Program

Synopsis:

There is a vulnerability present in Kolban"s Webcam32 v4.5.1 to v4.8.3 beta 3. This vulnerability allows a remote attacker to overflow a buffer that can result in crashing the Webcam32 software, or more seriously to execute code on the system running Webcam32. This allows complete control over a Windows 95/98 system, and user level access to a Windows NT system.

Recommended Action:

Users should upgrade to webcam32 4.8.3 (or newer).

Registered users can download a fixed version of Webcam32 from:

http://www.kolban.com/webcam32/registered/Default.htm

The password to this site is provided as part of the software registration process for this software.

Unregistered users can download a fixed version of Webcam32 from:

http://www.kolban/com/webcam32/

Network administrators can protect internal machines from an external attack by filtering all incoming connections to TCP port 25867.

Determining If You Are Vulnerable:

If you are running Webcam32 by Neil Kolban, go to the Help menu and select "About webcam32". If the version number is between v4.5.1 and v4.8.3 beta 3, inclusive, your system is vulnerable to this attack.

Network administrators should scan their network for systems listening to TCP port 25867. Systems listening on this port are likely to be vulnerable to this attack, although new versions of Webcam32 with the remote administration feature explicitly enabled on the default port may also be listening and are not vulnerable.

Description:

The Webcam32 software acts as a stand-alone web server to present a real-time video feed to a standard web browser. Part of this web server contains a remote administration feature that allows configuration via a web browser. The remote administration feature fails to properly check the input size, allowing a remote attacker to craft a URL that will overflow an internal buffer on the stack.

Buffer overflows are easily exploited to crash the software containing the overflow. An experienced attacker can construct (and distribute) an exploit that will execute arbitrary code on the remote system. Although this serious attack is less frequently seen on Windows than on Unix systems, detailed instructions on how to construct this attack for a Windows application has been distributed by a well-known hacker group. 

ISS X-Force expects to see code execution type buffer overflow exploits on Windows more widely available in the future. As a consequence, administrators should be especially vigilant in correcting buffer overflow vulnerabilities.

 Additional Information:

This security issue was discovered by David Meltzer ([email protected]) of ISS X-Force. ISS X-Force would like to thank Neil Kolban for his response and handling of this vulnerability.

_________

Copyright (c) 1998 by Internet Security Systems, Inc.

ISS vulnerability reports are public notifications of vulnerabilities discovered and researched by the ISS X-Force that have a smaller scope of impact than vulnerabilities published in an ISS Advisory. Although this vulnerability is very serious, there is only a small number of vulnerable systems, limiting the impact this vulnerability may have upon the Internet as a whole. Permission is hereby granted for the redistribution of this Vulnerability Report electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail [email protected] for permission.

Disclaimer

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user"s own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT"s PGP key server and PGP.com"s key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:

X-Force <[email protected]> of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----

Version: 2.6.3a

Charset: noconv

iQCVAwUBNewuojRfJiV99eG9AQGGlgP/YonsdjL94sFCSOgDyMHKZQGCF8UqDUp6
ybO0mdBLdLn92Z+fBubCA1o20thRx+zw0jEuITB+6rnSyFQw6HaZS1rdMETlH33x
4CWbtrh8vydGbMSleuXAnu9zURMS9q/Ey58/+bqIgqHRqUmDCoqA0zc/eC0SUR7s
rVh5QoSiwaE=
=Pj87

-----END PGP SIGNATURE-----

 

To learn more about NT Security concerns, subscribe to NTSD

Credits
- Originally reported by ISS
- Posted on The NT Shop on September 1, 1998
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish