ISS Vulnerability Alert: Remote Buffer Overflow in the Kolban

[xforce () ISS NET (X-Force)]

-----BEGIN PGP SIGNED MESSAGE-----

ISS Vulnerability Alert
September 1, 1998


Remote Buffer Overflow in the Kolban Webcam32 Program

Synopsis:

There is a vulnerability present in Kolban's Webcam32 v4.5.1 to v4.8.3
beta 3.  This vulnerability allows a remote attacker to overflow a
buffer that can result in crashing the Webcam32 software, or more
seriously to execute code on the system running Webcam32.  This allows
complete control over a Windows 95/98 system, and user level access to
a Windows NT system.


Recommended Action:

Users should upgrade to webcam32 4.8.3 (or newer).

Registered users can download a fixed version of Webcam32 from:
http://www.kolban.com/webcam32/registered/Default.htm
The password to this site is provided as part of the software registration
process for this software.

Unregistered users can download a fixed version of Webcam32 from:
http://www.kolban/com/webcam32/

Network administrators can protect internal machines from an external
attack by filtering all incoming connections to TCP port 25867.


Determining If You Are Vulnerable:

If you are running Webcam32 by Neil Kolban, go to the Help menu and select
'About webcam32'.  If the version number is between v4.5.1 and v4.8.3 beta
3, inclusive, your system is vulnerable to this attack.

Network administrators should scan their network for systems listening to
TCP port 25867.  Systems listening on this port are likely to be
vulnerable to this attack, although new versions of Webcam32 with the
remote administration feature explicitly enabled on the default port may
also be listening and are not vulnerable.


Description:

The Webcam32 software acts as a stand-alone web server to present
a real-time video feed to a standard web browser.  Part of this web server
contains a remote administration feature that allows configuration via
a web browser.  The remote administration feature fails to properly check
the input size, allowing a remote attacker to craft a URL that will
overflow an internal buffer on the stack.

Buffer overflows are easily exploited to crash the software containing the
overflow.  An experienced attacker can construct (and distribute) an
exploit that will execute arbitrary code on the remote system.  Although
this serious attack is less frequently seen on Windows than on Unix
systems, detailed instructions on how to construct this attack for a
Windows application has been distributed by a well-known hacker group.

ISS X-Force expects to see code execution type buffer overflow exploits
on Windows more widely available in the future.  As a consequence,
administrators should be especially vigilant in correcting buffer overflow
vulnerabilities.


Additional Information:

This security issue was discovered by David Meltzer (davem () iss net) of ISS
X-Force.  ISS X-Force would like to thank Neil Kolban for his response and
handling of this vulnerability.

_________

Copyright (c) 1998 by Internet Security Systems, Inc.

ISS vulnerability reports are public notifications of vulnerabilities
discovered and researched by the ISS X-Force that have a smaller scope of
impact than vulnerabilities published in an ISS Advisory.  Although this
vulnerability is very serious, there is only a small number of vulnerable
systems, limiting the impact this vulnerability may have upon the Internet
as a whole.

Permission is hereby granted for the redistribution of this Vulnerability
Report electronically.  It is not to be edited in any way without express
consent of X-Force.  If you wish to reprint the whole or any part of this
Alert in any other medium excluding electronic medium, please e-mail
xforce () iss net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as
well as on MIT's PGP key server and PGP.com's key server.

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce

Please send suggestions, updates, and comments to:
X-Force <xforce () iss net> of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNewuojRfJiV99eG9AQGGlgP/YonsdjL94sFCSOgDyMHKZQGCF8UqDUp6
ybO0mdBLdLn92Z+fBubCA1o20thRx+zw0jEuITB+6rnSyFQw6HaZS1rdMETlH33x
4CWbtrh8vydGbMSleuXAnu9zURMS9q/Ey58/+bqIgqHRqUmDCoqA0zc/eC0SUR7s
rVh5QoSiwaE=
=Pj87
-----END PGP SIGNATURE-----