vcs100.txt

vcs100.txt: Posted Jul 2, 2005; Authored by Donato Ferrante | Site autistici.org; Video Cam Server version 1.0.0 is susceptible to a directory traversal attack.; tags | exploit; SHA-256 | ada3a5328ddaa14bdc136ad11e095dc6ab58a6c24f3b0f31394aa705cb84dc7d; Download | Favorite | View

vcs100.txt


                           Donato Ferrante


Application:  Video Cam Server
              https://vcs.raybase.com/

Version:      1.0.0

Bugs:         Multiple Vulnerabilities

Date:         02-May-2005

Author:       Donato Ferrante
              e-mail: fdonato@autistici.org
              web:    www.autistici.org/fdonato



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"Video Cam Server (VCS) is a server for publishing the image taken from
a Video Camera (especially Web Cam) connected to it. It will be very
useful for remote monitoring your home, office or other environment."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
2. The bugs:
-------------

The bugs are located into the built-in webserver.
By default no HTTP Authentication is set so a malicious user can:

i.
     (path disclosure) know the remote current path, by sending an
     http request for an unavailable page.

ii.
     (directory traversal) go out the document root assigned to the
     webserver by using common malicious patterns like: ".." into
     http requests, and see/download all the files available on the
     remote system.

iii.
     (denial of service) shutdown http-server and/or camera, by using
     admin's control page that it's not properly managed.


NOTE:

Reported vulnerabilities are also valid if the HTTP Authentication is
set, but in this case the malicious user must obtain login information.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerabilities:

i.
    https://[host]/%20


ii.
    https://[host]/..\..\..\..\..\..\..\..\..\..\..\windows\system.ini

    or connect to the webserver and send a raw request like:

    GET /../../../../../../../../../../../windows/system.ini HTTP/1.1


iii.
    https://[host]/admin.html



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

Vendor has been notified.
Bugs will be probably fixed in the next release.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Top Authors In Last 30 Days

Red Hat 300 files
Ubuntu 63 files
Debian 20 files
LiquidWorm 19 files
Apple 9 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files
nu11secur1ty 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,163)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,928)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,326)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,981)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

vcs100.txt

vcs100.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

vcs100.txt

Share This

vcs100.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems