----------------------------- Software: Willings WebCam Corporation: Illustrate Revision Date: May 09, 2005 Version: 2.8 Tested on: Windows 2000 SP4 Vulnerability: Local Password Disclosure Issue ---------------------------------------------- BACKGROUND ---------- Willing Webcam is a simple, yet fully-featured software tool designed to help you capture streaming video and snapshots and publish them on your website. To make your video production shine, you can enhance it with comments, date and time stamps, watermarks, and various live video effects. You can also create a digital album where images and videos are organized for fast retrieval and viewing. Uses a motion control detection sensor that wakes up your web camera at the slightest motion in the room. The sensor can trigger a variety of actions, including email sending, movie saving, FTP uploading, sound alarm, or a launch of any specified application. In addition to the motion sensor, the program has a time-lapse option. It allows you to record video at specified time intervals. Source: www.willingsoftware.com VULNERABLE PRODUCTS ------------------- Willings WebCam <= 2.8 Willings WebCam Lite <= 2.8 CONTEXT ------- In the option settings, you can define an administrator password to protect the local configuration access. If the password is forgotten, and that you decide to reinstall for re-initialize it... damned it doesn't work. This bug was discovered by Secubox Labs thanks to a customer who had lost his password. The recovery tool realisation allowed us to put the stress on a weakness software. VULNERABILITY ------------- The problem resides in the fact that the application will execute a function that loads the password in static memory before the user has even identified himself. A simple read operation at this address will reveal the password. ********************************** Memory: Willings WebCam ( ww.exe ) AllocationBase: 7B930000 - Read/Write - Private -----------------------------------------------------------------------\ 00 00 00 44 45 47 65 74 42 6C 6F 63 6B 46 6D 74 ; ...DEGetBlockFmt | 4E 61 6D 65 73 50 61 72 61 6D 00 00 00 00 00 40 ; NamesParam.....@ | 00 00 00 00 00 00 00 31 00 00 00 44 45 47 65 74 ; .......1...DEGet | 42 6C 6F 63 6B 46 6D 74 4E 61 6D 65 73 50 61 72 ; BlockFmtNamesPar | 61 6D 2E 44 45 47 65 74 42 6C 6F 63 6B 46 6D 74 ; am.DEGetBlockFmt | 4E 61 6D 65 73 50 61 72 61 6D 2E 31 00 00 00 20 ; NamesParam.1... | 00 00 00 01 00 00 00 13 00 00 00 41 63 74 69 6F ; ...........Actio | 6E 4E 65 74 77 6F 72 6B 43 61 6D 65 72 61 00 20 ; nNetworkCamera. |____________ 00 00 00 01 00 00 00 07 00 00 00 53 65 63 75 42 ; ...........SecuB <--/ PLAIN TEXT \ 6F 78 00 4E 44 20 50 41 53 53 57 4F 52 44 00 20 ; ox.ND PASSWORD. <--\____________/ 00 00 00 D0 8A 83 00 80 68 9F 7B 01 00 00 00 04 ; ...Ð??.?h?{..... | 00 00 00 65 78 00 00 65 50 61 72 61 6D 2E 44 40 ; ...ex..eParam.D@ | 00 00 00 01 00 00 00 1F 00 00 00 44 69 72 65 63 ; ...........Direc | 74 58 20 76 69 64 65 6F 20 73 6F 75 72 63 65 2E ; tX video source. | 20 20 43 74 72 6C 2B 46 31 30 00 44 65 6E 61 6C ; Ctrl+F10.Denal | 69 44 6C 67 39 38 2E 44 65 6E 61 6C 69 44 6C 00 ; iDlg98.DenaliDl. | 01 00 00 68 35 7B 00 00 6E 93 7B 48 CF 94 7B 01 ; ...h5{..n?{HÏ?{. | -----------------------------------------------------------------------/ Class is "TFormJB" and Window name "Input Password" Start -> 7b94cf68 - 47 - inc edi The end, just find -> "ND PASSWORD" *************************************************** VENDOR STATUS ------------- Vendor have been contacted: 6 may 2005 CREDITS ---------------------- SecuBox Labs - fRoGGz unsecure[at]writeme[dot]com ----------------------------