Sign-up

ID

VAR-200812-0330


CVE

CVE-2008-4391


TITLE

Linksys WVC54GC NetCamPlayerWeb11gv2 ActiveX control stack buffer overflow

Trust: 0.8

sources: CERT/CC: VU#639345

DESCRIPTION

Stack-based buffer overflow in the SetSource method in the NetCamPlayerWeb11gv2 ActiveX control in NetCamPlayerWeb11gv2.ocx on the Cisco Linksys WVC54GC wireless video camera before firmware 1.25 allows remote attackers to execute arbitrary code via long invalid arguments. Linksys WVC54GC NetCamPlayerWeb11gv2 Agent ActiveX Control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input. Failed attacks will likely cause denial-of-service conditions. WVC53GC with firmware versions prior to 1.25 that include the ActiveX control are vulnerable. Linksys WVC54GC is a wireless network camera that supports 802.11g protocol. If a user is tricked into browsing a specially crafted HTML document and provides a very long input parameter to the method, it can trigger a stack overflow, causing the browser to crash or execute arbitrary commands. ---------------------------------------------------------------------- Secunia is pleased to announce the release of the annual Secunia report for 2008. Highlights from the 2008 report: * Vulnerability Research * Software Inspection Results * Secunia Research Highlights * Secunia Advisory Statistics Request the full 2008 Report here: http://secunia.com/advisories/try_vi/request_2008_report/ Stay Secure, Secunia ---------------------------------------------------------------------- TITLE: Linksys WVC54GCA Multiple Vulnerabilities SECUNIA ADVISORY ID: SA34767 VERIFY ADVISORY: http://secunia.com/advisories/34767/ DESCRIPTION: pagvac has reported some vulnerabilities in Linksys WVC54GCA, which can be exploited by malicious people to disclose sensitive information or conduct cross-site scripting attacks, and by malicious users to bypass certain security restrictions. 1) The device sends e.g. login credentials in plain text after receiving a specially crafted UDP packet. This is related to vulnerability #1 in: SA33032 2) Input passed to the "next_file" parameter in img/main.cgi is not properly verified before being used to read files. This can be exploited to read the .htpasswd file from the current directory and disclose the administrator's password. Successful exploitation of this vulnerability requires valid user credentials. 3) Input passed to the "next_file" parameter in img/main.cgi, main.cgi, and adm/file.cgi is not properly sanitised before being returned to the user. Other versions may also be affected. SOLUTION: Use the product in trusted networks only. Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: pagvac ORIGINAL ADVISORY: http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-1/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-2/ http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-4/ OTHER REFERENCES: SA33032: http://secunia.com/advisories/33032/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . 1) A security issue is caused due to the device sending certain information (e.g. This can be exploited to gain access to sensitive information by sending a specially crafted packet to a vulnerable device. 2) A vulnerability is caused due to a boundary error in the "SetSource()" method of the NetCamPlayerWeb11gv2 ActiveX control (NetCamPlayerWeb11gv2.ocx). This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious website. SOLUTION: Update to version 1.25. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Greg Linares, eEye

Trust: 3.6

sources: NVD: CVE-2008-4391 // CERT/CC: VU#639345 // CERT/CC: VU#528993 // JVNDB: JVNDB-2008-003495 // BID: 32665 // VULHUB: VHN-34516 // PACKETSTORM: 76983 // PACKETSTORM: 72709

IOT TAXONOMY

category:['camera device']sub_category:video camera

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:linksys a division of ciscomodel: - scope: - version: -

Trust: 1.6

vendor:ciscomodel:wvc54gcscope:eqversion:1.15

Trust: 1.6

vendor:ciscomodel:wvc54gcscope:lteversion:1.19

Trust: 1.0

vendor:ciscomodel:wvc54gcscope:ltversion:firmware 1.25

Trust: 0.8

vendor:ciscomodel:wvc54gcscope:eqversion:1.19

Trust: 0.6

vendor:linksysmodel:wvc54gcscope:eqversion:0

Trust: 0.3

vendor:linksysmodel:wvc54gcscope:neversion:1.25

Trust: 0.3

sources: CERT/CC: VU#639345 // CERT/CC: VU#528993 // BID: 32665 // JVNDB: JVNDB-2008-003495 // CNNVD: CNNVD-200812-107 // NVD: CVE-2008-4391

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-4391
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#639345
value: 2.73

Trust: 0.8

CARNEGIE MELLON: VU#528993
value: 1.59

Trust: 0.8

NVD: CVE-2008-4391
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200812-107
value: CRITICAL

Trust: 0.6

VULHUB: VHN-34516
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2008-4391
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-34516
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#639345 // CERT/CC: VU#528993 // VULHUB: VHN-34516 // JVNDB: JVNDB-2008-003495 // CNNVD: CNNVD-200812-107 // NVD: CVE-2008-4391

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-34516 // JVNDB: JVNDB-2008-003495 // NVD: CVE-2008-4391

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200812-107

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200812-107

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2008-003495

PATCH
title:Top Pageurl:http://home.cisco.com/en-apac/home
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2008-003495

EXTERNAL IDS
db:CERT/CCid:VU#639345
Trust: 3.7
db:NVDid:CVE-2008-4391
Trust: 2.9
db:BIDid:32665
Trust: 2.0
db:SECUNIAid:33032
Trust: 1.9
db:CERT/CCid:VU#528993
Trust: 0.9
db:JVNDBid:JVNDB-2008-003495
Trust: 0.8
db:CERT/CCid:HTTP://WWW.KB.CERT.ORG/VULS/ID/WDON-7M2U52
Trust: 0.6
db:CNNVDid:CNNVD-200812-107
Trust: 0.6
db:OTHERid:NONE
Trust: 0.1
db:VULHUBid:VHN-34516
Trust: 0.1
db:SECUNIAid:34767
Trust: 0.1
db:PACKETSTORMid:76983
Trust: 0.1
db:PACKETSTORMid:72709
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#639345 // 
            
            
            
            CERT/CC: VU#528993 // 
            
            
            
            VULHUB: VHN-34516 // 
            
            
            
            BID: 32665 // 
            
            
            
            JVNDB: JVNDB-2008-003495 // 
            
            
            
            PACKETSTORM: 76983 // 
            
            
            
            PACKETSTORM: 72709 // 
            
            
            
            CNNVD: CNNVD-200812-107 // 
            
            
            
            NVD: CVE-2008-4391

REFERENCES
url:http://www.kb.cert.org/vuls/id/639345
Trust: 2.9
url:http://www.securityfocus.com/bid/32665
Trust: 1.7
url:http://www.kb.cert.org/vuls/id/wdon-7m2u52
Trust: 1.7
url:http://secunia.com/advisories/33032
Trust: 1.7
url:about vulnerability notes
Trust: 1.6
url:contact us about this vulnerability
Trust: 1.6
url:provide a vendor statement
Trust: 1.6
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-4391
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-4391
Trust: 0.8
url:http://www.linksys.com/servlet/satellite?blobcol=urldata&blobheadername1=content-type&blobheadername2=content-disposition&blobheadervalue1=text%2fplain&blobheadervalue2=inline%3b+filename%3dwvc54gc-v1
Trust: 0.3
url:http://www.linksys.com/
Trust: 0.3
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.2
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.2
url:http://secunia.com/advisories/33032/
Trust: 0.2
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.2
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
url:http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-2/
Trust: 0.1
url:http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-1/
Trust: 0.1
url:http://secunia.com/advisories/34767/
Trust: 0.1
url:http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-4/
Trust: 0.1
url:http://secunia.com/advisories/try_vi/request_2008_report/
Trust: 0.1
url:http://www.kb.cert.org/vuls/id/528993
Trust: 0.1
url:http://secunia.com/advisories/business_solutions/
Trust: 0.1
url:http://secunia.com/advisories/product/20682/
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#639345 // 
            
            
            
            CERT/CC: VU#528993 // 
            
            
            
            VULHUB: VHN-34516 // 
            
            
            
            BID: 32665 // 
            
            
            
            JVNDB: JVNDB-2008-003495 // 
            
            
            
            PACKETSTORM: 76983 // 
            
            
            
            PACKETSTORM: 72709 // 
            
            
            
            CNNVD: CNNVD-200812-107 // 
            
            
            
            NVD: CVE-2008-4391

CREDITS
Greg Linares※ glinares.code@gmail.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200812-107

SOURCES
db:OTHERid: - 
db:CERT/CCid:VU#639345
db:CERT/CCid:VU#528993
db:VULHUBid:VHN-34516
db:BIDid:32665
db:JVNDBid:JVNDB-2008-003495
db:PACKETSTORMid:76983
db:PACKETSTORMid:72709
db:CNNVDid:CNNVD-200812-107
db:NVDid:CVE-2008-4391

LAST UPDATE DATE
2025-04-10T22:24:25.610000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#639345date:2008-12-05T00:00:00
db:CERT/CCid:VU#528993date:2008-12-05T00:00:00
db:VULHUBid:VHN-34516date:2009-08-20T00:00:00
db:BIDid:32665date:2008-12-08T17:31:00
db:JVNDBid:JVNDB-2008-003495date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200812-107date:2009-03-03T00:00:00
db:NVDid:CVE-2008-4391date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:CERT/CCid:VU#639345date:2008-12-05T00:00:00
db:CERT/CCid:VU#528993date:2008-12-05T00:00:00
db:VULHUBid:VHN-34516date:2008-12-09T00:00:00
db:BIDid:32665date:2008-12-05T00:00:00
db:JVNDBid:JVNDB-2008-003495date:2012-06-26T00:00:00
db:PACKETSTORMid:76983date:2009-04-27T15:17:22
db:PACKETSTORMid:72709date:2008-12-08T17:18:51
db:CNNVDid:CNNVD-200812-107date:2008-12-09T00:00:00
db:NVDid:CVE-2008-4391date:2008-12-09T00:30:00.267