FRAME4 SECURITY ADVISORY [FSA-2003:002]
PRODUCT : WebcamXP
PRODUCT/VENDOR URL : http://www.darkwet.net/
TYPE : Vulnerability / Exploit
IMPACT : Medium
SUMMARY : Code Injection Vulnerabilities in WebcamXP Chat
DISCOVERY DATE : 00/03/2003
PUBLIC RELEASE : 02/05/2003
AFFECTED VERSION(S): All (as of discovery date)
FIXED VERSION(S) : None
VENDOR NOTIFIED : Yes
Vendor web site states that WebcamXP is a "powerful webcam utility with an
integrated http server so you don't need to install a web server on your
computer. Works under all windows os and the server port can be changed."
We have discovered various code injection vulnerabilities in the chat
This advisory is available in its original format at the following URL:
We have emailed the creator of the program, "wet", on wet (at) darkwet (dot) net [email concealed] with
specifics of this vulnerability on the release date of this advisory.
Please refer to the 'Technical Description' section below, for full
of the problem(s).
We have tested these vulnerabilities between two versions; v1.02.432 and
latest build, v1.02.535. Whereas the chatbox feature on the application
seems to be pretty immune to code injection (MOST code gets stripped), the
page portion is far from being safe.
Although the tests have been carried out between two builds of the
is highly possible that other versions behave the same way. The tests were
carried out using Microsoft Internet Explorer.
None as yet. Although recently the server portion of the chat feature has
upgraded (where certain tags get filtered), the problems still seem to
TECHNICAL DESCRIPTION - EXPLOIT/CONCEPT CODE:
The below examples are merely a small portion of what could be possible
no way constitute an exhaustive list of potential vulnerabilities.
 Code Injection 1
We have ascertained that typing <script>alert(document.cookie);</script>
message field on the web page generates a message box whereas this should
ignored. You can see an actual screen shot of this at the following URL:
 Code Injection 2
Following on from the previous example, we have also noticed that in a
manner, an IFRAME can be generated by simply typing the
following 'command' in
the message field: <iframe src="http://frame4.com"></iframe>. You can find
relevant screen shots of this 'feature' at the following URLs:
 Code Injection 3
This is the "showstopper". We have discovered that the IFRAME can
onto the chat initiator in the same fashion. In this case, a webcam
for example, can inject a script "out" to the user via the internal chat
A screen shot of this problem can be seen here:
 "Malformed Code" Injection
Whereas the command <iframe src="http://frame4.com"></iframe> creates a
IFRAME (see above), if we issue (by accident) the same command in
the page goes into some kind of 'loop'. The message box gets generated and
we DO get an IFRAME (and rightly, you get an 404 as the content) but the
bars disappear and the page just stops responding.
Closing the browser and re-opening at the chat URL has absolutely no
the above loop gets repeated and the situation does not change until the
party resets or refreshes their page. A screen shot of this problem can be
The vulnerabilities outlined in this advisory and accompanying sample code
been discovered by a joint operation between Morning Wood and Anthony
have NOT circulated any of our findings through the underground community,
present them here as a PUBLIC DISCLOSURE.
morning_wood (at) thepub.co (dot) za [email concealed]
Morning Wood, Inc
anthony.aykut (at) frame4 (dot) com [email concealed]
Frame4 Security Systems
Frame4 Security Systems is a new security partner, empowering clients with
necessary knowledge and products to protect and secure their computer
Headquartered in The Netherlands, Frame4 can be reached at +31(0)172-
on the Web at http://www.frame4.com/.
This advisory is a Frame4 Security Systems ("Frame4") publication, all
reserved (c) 2003. You may (re-)distribute the text as long as the content
not changed in any way and with this header text intact. If you want to
this paper on your web site/FTP/Newsgroup/etc., we encourage you to do so,
long as no changes are made without the prior permission of the author(s),
fees are charged and proper credit is given.
IMPORTANT -- THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY. To the
extent permitted by applicable law, in no event shall Frame4 Security
be liable for any damages whatsoever, (including, without limitation,
for loss of any business profits, business interruption, loss of any
information, or other pecuniary loss) arising out of the use, or inability
use any software, and/or procedures outlined in this document, even if
Security Systems has been advised of the possibility of such damage(s).
are NO warranties with regard to this information.
This advisory is the property of Frame4 Security Systems, all rights
Copyright (c) 1999-2003 Frame4 Security Systems -- http://www.frame4.com/