NotSoGenius.txt

`Software Vulnerable  
  
Genius VideoCAM NB Driver  
http://download.geniusnet.com.tw/CAMERA/webnb.zip  
  
Other genius webcams with the same 'snapshot feature' might be  
affected with the same issue, if you have any of those please try to  
reproduce this issue.  
  
Affects: Windows XP / Windows 2000  
  
Proof of concept (omg leet)  
  
http://img159.imageshack.us/img159/5351/pwnt6qq.png  
  
Description  
  
This vuln is very similar to MS04-019 [1] , when you press the  
snapshot button on the webcam to take a picture, the snapshot viewer  
window appears, the problem is that this application is running with  
SYSTEM privileges,so you click file/save as, in the save as dialog you  
browse to X:\windows\system32\, type *.exe in the file name, then just  
right click and select open, a new shell with SYSTEM privileges  
appears. As you can see on the screenshot, there are two cmd.exe  
shells, one of those was started through the Run dialog, and the other  
through this vuln. To check the user privileges, I used whoami.exe  
from W32GnuUtils [2]  
  
  
[1] http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx  
[2] http://unxutils.sourceforge.net/  
[3] http://www.milw0rm.com/exploits/350 (example exploit ms04-019)  
  
Vendor contacted  
Vendor Response:  
  
1. Regarding the privilige problem, the limited user only can open the  
shell, they can't use another functions.  
  
2. Regarding the privilege probelm, the limited user can open the shell but  
can't use the functions provided by shell. It should be reasonable.  
Moreover, the VideoCam NB has been phased out, our R&D won't pay more effort  
to it unless usage bug.  
  
Conclusion  
  
I'm not sure what they mean with "can't use the functions provided by  
shell". You only need to add a new admin user with the net command, or  
use pwdump to dump the pw hashes, or just install a backdoor/rootkit.  
`