CamFrog Password Disclosure Vulnerability

2009.02.09

Credit: zigmatn

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

 Advisory:
CamFrog Video Chat Password Disclosure Vulnerability.
Versions Affected:
CamFrog Video Chat Version 5.0(Free one)
Camfrog Pro 5.2 (paied one $49.95)
Release Date:
7 February 2009
Description:
CamFrog Video Chat 5.0 and Camfrog Pro 5.2 suffers from a Local password disclosure vulnerability due to the leak of proper encryption of credentials in the process level .In fact,the credentials can be extracted in clear text by dumping process memory of the live camfrog process when a connection is established.
Note : This vulnerability can be exploited by Social Engineering tricks such as fooling the user to execute malicious code wich would dump the memory of the process.
Proof of Concept:
http://nullarea.net/sploits/c/camfrog/poc.pdf
Credits:
Zigma [zigmatn{a.t}gmail.com]
http://NullArea.NET
Time Line Notification:
28-01-209 -- Contacted Via Email , Though no response till now

References:

http://seclists.org/bugtraq/2009/Feb/0053.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CamFrog Password Disclosure Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.