Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

tcambof.txt

🗓️ 25 Feb 2005 00:00:00Reported by Luigi AuriemmaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Security flaws in TrackerCam 5.12 include buffer-overflows, information disclosure, and injection.

Code
`  
#######################################################################  
  
Luigi Auriemma  
  
Application: TrackerCam  
http://www.trackercam.com  
Versions: <= 5.12  
Platforms: Windows  
Bugs: A] User-Agent buffer-overflow  
B] PHP argument buffer-overflow  
C] directory traversal and full path disclosure  
D] html injection in log file  
E] informations disclosure  
F] crash caused by multiple error messages  
Exploitation: remote  
Date: 18 Feb 2005  
Author: Luigi Auriemma  
e-mail: [email protected]  
web: http://aluigi.altervista.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bugs  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
TrackerCam is a webcam http server with the possibility to be  
publically and easily visible through the TrackerCam community page:  
http://www.trackercam.com/livecams  
  
  
#######################################################################  
  
=======  
2) Bugs  
=======  
  
-----------------------------  
A] User-Agent buffer-overflow  
-----------------------------  
  
An HTTP request containing an User-Agent field longer than 216 bytes  
leads to a buffer-overflow.  
  
  
-------------------------------  
B] PHP argument buffer-overflow  
-------------------------------  
  
As above but this buffer-overflow happens when the server handles an  
argument longer than 256 bytes passed to any PHP script.  
Example:  
http://host:8090/MessageBoard/messages.php?aaaaaaaaaaa...aaaa  
  
  
-----------------------------------------------  
C] directory traversal and full path disclosure  
-----------------------------------------------  
  
TrackerCam has a PHP script accessible by anyone (bug E) that is used  
to watch the log files from the web interface.  
The problem is that the log filename is passed through a PHP argument  
and there are no security checks in the script so an attacker can  
choose what file to read and moreover from what location since is  
possible to use a directory traversal attack.  
If the file doesn't exist or no arguments are passed will be showed the  
full physical path on which is located the ComGetLogFile.php3 script.  
Both slash, backslash and their hex values are allowed.  
Example:  
  
http://host:8090/tuner/ComGetLogFile.php3?fn=../../../../windows/system.ini  
  
  
-----------------------------  
D] html injection in log file  
-----------------------------  
  
Any login (correct or wrong) is logged in the current log file of the  
month. As already said this file is also visible through a web browser  
allowing an attacker to put HTML or any other code supported by the  
admin's browser in the log file through a login request.  
  
  
--------------------------  
E] informations disclosure  
--------------------------  
  
As said in bug C, is possible to reach the ComGetLogFile.php3 script  
without restrictions in fact also the servers protected by passwords  
have ever some interesting zones accessible by anyone and the log file  
is just one of those, or at least that causing a threat.  
In this file in fact are logged both wrong and correct logins so is  
possible to guess the working passwords (that naturally are not stored  
in the file), know what IP addresses have accessed the server or  
retrieve other small informations.  
Each log file contains the logins of the entire month so an example of  
log filename for the current month is:  
http://host:8090/tuner/ComGetLogFile.php3?fn=Eye2005_02.log  
  
  
------------------------------------------  
F] crash caused by multiple error messages  
------------------------------------------  
  
If the server receives a negative Content-Length, it will show a simple  
MessageBox with an "insufficient memory" error and the same happens for  
any subsequent bad request like that.  
After about 300 of these consecutive errors the server crashs.  
  
Another similar problem (just to take note, but not so important)  
happens after the sending of about 10 megabytes of data.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
http://aluigi.altervista.org/poc/tcambof.zip  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No fix.  
The developers don't seem interested to fix these bugs.  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.altervista.org  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2005 00:00Current
7.4High risk
Vulners AI Score7.4
trackercambuffer-overflowinformation disclosuredirectory traversalhtml injectionremote exploitation.
19