Yawcam 0.6.0 Directory Traversal

Yawcam versions 0.2.6 through 0.6.0 suffer from a directory traversal vulnerability.

MD5 | 8b2ff035a9acdb60012023f99d73de9a

Directory traversal vulnerability in Yawcam webcam server

Affected Versions: Yawcam 0.2.6 through 0.6.0
Patched Versions: Yawcam 0.6.1
Vendor: Yawcam
Vendor URL: http://www.yawcam.com
CVE: CVE-2017-17662
Credit: David Panter, Global Relay CSOC
Status: Public
Public disclosure URL: http://www.yawcam.com/news.php

By sending a specially crafted HTTP GET request a remote attacker can read arbitrary files on the target computer under the privileges of the Yawcam software or service.

Product Description
Yawcam is a free webcam software with an integrated HTTP server and wide variety of features.

Severity Rating: High

Vulnerability description
The Yamcam HTTP server contains a directory traversal vulnerability that allows attacker to read arbitrary files through a sequence in the form '.x./' or '....\x/' where x is a pattern composed of one or more (zero or more for the second pattern) of either \ or ..\ for example '.\./', '....\/' or '...\./'.

For files with no extension a single dot needs to be appended to ensure the HTTP server does not alter the request.

By sending the following string to the Yawcam HTTP server we can read the hosts file from the target machine
"GET /.\./.\./.\./.\./.\./.\./.\./windows/system32/drivers/etc/hosts."

2017-12-12 Vulnerability discovered
2017-12-13 Vendor contacted
2017-12-13 CVE ID assigned
2017-12-15 Vendor reply
2017-12-18 Fixed version released
2017-12-18 Vendor disclosed vulnerability

Related Posts