===============================================================================
FRAME4 SECURITY ADVISORY [FSA-2003:002]
-------------------------------------------------------------------------------
PRODUCT : WebcamXP
PRODUCT/VENDOR URL : http://www.darkwet.net/
TYPE : Vulnerability / Exploit
IMPACT : Medium
SUMMARY : Code Injection Vulnerabilities in WebcamXP Chat Feature
DISCOVERY DATE : 00/03/2003
PUBLIC RELEASE : 02/05/2003
AFFECTED VERSION(S): All (as of discovery date)
FIXED VERSION(S) : None
VENDOR NOTIFIED : Yes
-------------------------------------------------------------------------------
BACKGROUNDER:
Vendor web site states that WebcamXP is a "powerful webcam utility with an
integrated http server so you don't need to install a web server on your
computer. Works under all windows os and the server port can be changed."
INTRODUCTION:
We have discovered various code injection vulnerabilities in the chat feature
of WebcamXP.
ADVISORY URL:
This advisory is available in its original format at the following URL:
http://www.frame4.com/content/advisories/FSA-2003-002.txt
VENDOR CONTACT:
We have emailed the creator of the program, "wet", on wet@darkwet.net with the
specifics of this vulnerability on the release date of this advisory.
VULNERABILITY DESCRIPTION:
Please refer to the 'Technical Description' section below, for full description
of the problem(s).
VULNERABLE APPLICATION(S)/PACKAGE(S)/VERSION(S):
We have tested these vulnerabilities between two versions; v1.02.432 and the
latest build, v1.02.535. Whereas the chatbox feature on the application side
seems to be pretty immune to code injection (MOST code gets stripped), the web
page portion is far from being safe.
Although the tests have been carried out between two builds of the program, it
is highly possible that other versions behave the same way. The tests were only
carried out using Microsoft Internet Explorer.
SOLUTION/VENDOR INFORMATION/WORKAROUND:
None as yet. Although recently the server portion of the chat feature has been
upgraded (where certain tags get filtered), the problems still seem to exist.
TECHNICAL DESCRIPTION - EXPLOIT/CONCEPT CODE:
The below examples are merely a small portion of what could be possible and in
no way constitute an exhaustive list of potential vulnerabilities.
[001] Code Injection 1
We have ascertained that typing in the
message field on the web page generates a message box whereas this should be
ignored. You can see an actual screen shot of this at the following URL:
http://www.frame4.com/content/advisories/FSA-2003-002-01.jpg
[002] Code Injection 2
Following on from the previous example, we have also noticed that in a similar
manner, an IFRAME can be generated by simply typing the following 'command' in
the message field: . You can find the
relevant screen shots of this 'feature' at the following URLs:
http://www.frame4.com/content/advisories/FSA-2003-002-01.jpg
http://www.frame4.com/content/advisories/FSA-2003-002-02.jpg
http://www.frame4.com/content/advisories/FSA-2003-002-03.jpg
[003] Code Injection 3
This is the "showstopper". We have discovered that the IFRAME can be "pushed"
onto the chat initiator in the same fashion. In this case, a webcam operator
for example, can inject a script "out" to the user via the internal chat box.
A screen shot of this problem can be seen here:
http://www.frame4.com/content/advisories/FSA-2003-002-04.jpg
[004] "Malformed Code" Injection
Whereas the command creates a perfect
IFRAME (see above), if we issue (by accident) the same command in the "wrong"
manner, i.e.: