('binary' encoding is not supported, stored as-is)
-----------------------------
Software: Willings WebCam
Corporation: Illustrate
Revision Date: May 09, 2005
Version: 2.8
Tested on: Windows 2000 SP4
Vulnerability: Local Password Disclosure Issue
----------------------------------------------
BACKGROUND
----------
Willing Webcam is a simple, yet fully-featured software tool designed to help you capture
streaming video and snapshots and publish them on your website. To make your video production
shine, you can enhance it with comments, date and time stamps, watermarks, and various live
video effects. You can also create a digital album where images and videos are organized
for fast retrieval and viewing. Uses a motion control detection sensor that wakes up your
web camera at the slightest motion in the room. The sensor can trigger a variety of actions,
including email sending, movie saving, FTP uploading, sound alarm, or a launch of any
specified application. In addition to the motion sensor, the program has a time-lapse option.
It allows you to record video at specified time intervals.
Source: www.willingsoftware.com
VULNERABLE PRODUCTS
-------------------
Willings WebCam <= 2.8
Willings WebCam Lite <= 2.8
CONTEXT
-------
In the option settings, you can define an administrator password to protect the local
configuration access. If the password is forgotten, and that you decide to reinstall
for re-initialize it... damned it doesn't work. This bug was discovered by Secubox Labs
thanks to a customer who had lost his password. The recovery tool realisation allowed us
to put the stress on a weakness software.
VULNERABILITY
-------------
The problem resides in the fact that the application will execute a function that loads
the password in static memory before the user has even identified himself.
A simple read operation at this address will reveal the password.
**********************************
Memory: Willings WebCam ( ww.exe )
AllocationBase: 7B930000 - Read/Write - Private
-----------------------------------------------------------------------\
00 00 00 44 45 47 65 74 42 6C 6F 63 6B 46 6D 74 ; ...DEGetBlockFmt |
4E 61 6D 65 73 50 61 72 61 6D 00 00 00 00 00 40 ; NamesParam.....@ |
00 00 00 00 00 00 00 31 00 00 00 44 45 47 65 74 ; .......1...DEGet |
42 6C 6F 63 6B 46 6D 74 4E 61 6D 65 73 50 61 72 ; BlockFmtNamesPar |
61 6D 2E 44 45 47 65 74 42 6C 6F 63 6B 46 6D 74 ; am.DEGetBlockFmt |
4E 61 6D 65 73 50 61 72 61 6D 2E 31 00 00 00 20 ; NamesParam.1... |
00 00 00 01 00 00 00 13 00 00 00 41 63 74 69 6F ; ...........Actio |
6E 4E 65 74 77 6F 72 6B 43 61 6D 65 72 61 00 20 ; nNetworkCamera. |____________
00 00 00 01 00 00 00 07 00 00 00 53 65 63 75 42 ; ...........SecuB <--/ PLAIN TEXT \
6F 78 00 4E 44 20 50 41 53 53 57 4F 52 44 00 20 ; ox.ND PASSWORD. <--\____________/
00 00 00 D0 8A 83 00 80 68 9F 7B 01 00 00 00 04 ; ...Њƒ.€hŸ{..... |
00 00 00 65 78 00 00 65 50 61 72 61 6D 2E 44 40 ; ...ex..eParam.D@ |
00 00 00 01 00 00 00 1F 00 00 00 44 69 72 65 63 ; ...........Direc |
74 58 20 76 69 64 65 6F 20 73 6F 75 72 63 65 2E ; tX video source. |
20 20 43 74 72 6C 2B 46 31 30 00 44 65 6E 61 6C ; Ctrl+F10.Denal |
69 44 6C 67 39 38 2E 44 65 6E 61 6C 69 44 6C 00 ; iDlg98.DenaliDl. |
01 00 00 68 35 7B 00 00 6E 93 7B 48 CF 94 7B 01 ; ...h5{..n“{HÏ”{. |
-----------------------------------------------------------------------/
Class is "TFormJB" and Window name "Input Password"
Start -> 7b94cf68 - 47 - inc edi
The end, just find -> "ND PASSWORD"
***************************************************
VENDOR STATUS
-------------
Vendor have been contacted: 6 may 2005
CREDITS
----------------------
SecuBox Labs - fRoGGz
unsecure[at]writeme[dot]com
----------------------------
Received on May 13 2005
Intro
