COMMAND

    webcam32

SYSTEMS AFFECTED

    Win systems running webcam32 program v4.5.1 to v4.8.3 beta3

PROBLEM

    Following  is  based  on  ISS  Vulnerability  Alert.   There  is a
    vulnerability present in Kolban's Webcam32 v4.5.1 to v4.8.3 beta 3
    This vulnerability allows a  remote attacker to overflow  a buffer
    that  can  result  in  crashing  the  Webcam32  software,  or more
    seriously to execute  code on the  system running Webcam32.   This
    allows  complete  control  over  a  Windows 95/98 system, and user
    level access to a Windows NT system.

    If you are running  Webcam32 by Neil Kolban,  go to the Help  menu
    and select  'About webcam32'.   If the  version number  is between
    v4.5.1 and v4.8.3 beta 3, inclusive, your system is vulnerable  to
    this attack.

    The Webcam32 software acts as a stand-alone web server to  present
    a real-time video feed  to a standard web  browser.  Part of  this
    web server  contains a  remote administration  feature that allows
    configuration  via  a  web  browser.   The  remote  administration
    feature fails to properly check the input size, allowing a  remote
    attacker to craft a URL  that will overflow an internal  buffer on
    the stack.   Buffer overflows  are easily  exploited to  crash the
    software containing  the overflow.   An experienced  attacker  can
    construct (and distribute) an exploit that will execute  arbitrary
    code on the remote system.   Although this serious attack is  less
    frequently  seen  on  Windows  than  on  Unix  systems,   detailed
    instructions  on  how  to  construct  this  attack  for  a Windows
    application has  been distributed  by a  well-known hacker  group.
    This security issue was discovered by David Meltzer of ISS X-Force

SOLUTION

    Users should  upgrade to  webcam32 4.8.3  (or newer).   Registered
    users can download a fixed version of Webcam32 from:

        http://www.kolban.com/webcam32/registered/Default.htm

    The password  to this  site is  provided as  part of  the software
    registration process  for this  software.   Unregistered users can
    download a fixed version of Webcam32 from:

        http://www.kolban/com/webcam32/

    Network  administrators  can  protect  internal  machines  from an
    external attack by filtering all incoming connections to TCP  port
    25867.   Network  administrators  should  scan  their  network for
    systems listening to  TCP port 25867.   Systems listening on  this
    port are  likely to  be vulnerable  to this  attack, although  new
    versions  of  Webcam32  with  the  remote  administration  feature
    explicitly enabled on the default  port may also be listening  and
    are not vulnerable.