Dell Webcam center was written by Creative and branded by Dell. It includes features to control the Dell laptop's integrated webcam, providing photo capture and video recording capability. It comes bundled with Creative Livecam, which provides animated avatars.
The CrazyTalk ActiveX control (CrazyTalk4.ocx with CLSID 13149882-F480-4F6B-8C6A-0764F75B99ED) that comes bundled with Dell Webcam Center is vulnerable to a remote stack buffer overflow due to a failure to perform adequate boundary checks on user-supplied input via the
**BackImage** property. The crazytalk4.ocx ActiveX control loads the CrazyTalk4Native.dll library and, while constructing a local file path, calls sprintf() with an insufficient size.
The vulnerable ActiveX control may be disabled through Internet Explorer by following these Microsoft instructions. The CLSID for the vulnerable control is 13149882-F480-4F6B-8C6A-0764F75B99ED.
This exploit was tested on Dell SX2210 Webcam Monitor RC1.1 R230103 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).
The exploit file must be opened using Internet Explorer 8 or 9 on the target system.