Microsoft LifeCam – sucks the life out of me

It wasn’t my choice, but I was handed a Microsoft “LifeCam” today, as the original recipient didn’t want it. Figured I’d try to use it to make a Guinea Pig cam after seeing a nice setup and live streaming a few nights ago.

The software it comes with makes me want to vomit. Insert the CD, let it run. It installs the software and immediately shuts down the machine. No warning, doesn’t let you gracefully close running applications, just bam. The instructions say to run the software now.. but oh wait, it didn’t really install. It apparently had to install drivers that require a reboot, then you actually install the software. But the installation process looks identical, no way to know the 2nd time is actually installing it. Microsoft, it’s been 20 fucking years, and you still can’t produce halfway user friendly software? Nevermind that it finishes at almost 60 megs, nevermind that the picture quality is complete ass, nevermind that it can’t handle dimly lit rooms like competing cameras can. Forcing me to reboot w/o warning and install your software twice? All the while telling me I should install Windows Live Messenger?! Fuck you.

If I opt not to install Messenger, every time I accidentally hit the overly large button on top of the camera, I get a popup telling me that Messenger is required to use that functionality. If you are going to integrate this into Windows so heavily, the least you could do is not require the reboot.

Disclosure: Oempro Multiple Vulnerabilities

[This was originally published on OSVDB, now gone. VulnDB IDs 50321, 50322, 50323, 50324]

   Title:  Oempro Multiple Vulnerabilities

Release Date: 2008-12-01
Application: Octeth Technologies, Oempro
Cross Ref: CVE-2008-3057, CVE-2008-3058, CVE-2008-3059
OSVDB: 50321 .. 50324


“What is Oempro? Newsletters, product release announcement emails, e-cards, happy birthday emails, email reminders, auto responders, simply all kind of emails can easily be generated and sent by Oempro with powerful and detailed reporting features.”

Oempro contains a wide variety of vulnerabilities and configuration weaknesses that may allow an attacker to gain full access to the product, manipulate user accounts and more. The version tested was discovered on a vulnerability assessment and is relatively outdated. Subsequent versions were not available for testing.

1 – Cookies not marked Secure / HttpOnly

The Oempro application uses a PHPSESSID cookie to maintain authentication between the client and server. The cookie is set without the ‘secure’ (RFC 2109) or ‘httponly’ flag. These flags help to ensure cookie information is sent over secure channels and the data is only used for authentication and help protect it from disclosure via cross-site scripting attacks.

HTTP/1.1 200 OK
Date: Tue, 01 Jul 2008 06:57:13 GMT
Server: Apache/2.0.59
Keep-Alive: timeout=604800, max=100
Connection: keep-alive, close
Set-Cookie: PHPSESSID=e3a335d15ac0be7f204d8e09ce83b5da; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6665
Content-Type: text/html; charset=UTF-8


HTTP/1.1 302 Found
Date: Wed, 02 Jul 2008 04:34:42 GMT
Server: Apache/2.0.59
Keep-Alive: timeout=604800, max=100
Connection: keep-alive, close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: oempcliremme[0]=
Set-Cookie: oempcliremme[1]=
Set-Cookie: oempcliremme[2]=
Set-Cookie: oempcliremme[3]=
Set-Cookie: oempcli=e3a335d15ac0be7f204d8e09ce83b5da
Location: ./bridge.php?GoToURL=
Content-Length: 0
Content-Type: text/html; charset=UTF-8

2 – index.php SQL Injection Authentication Bypass

The authentication mechanism suffers from a SQL injection vulnerability that allows an attacker to bypass authentication. The ‘FormValue_Email’ variable (“Email” field) does not properly sanitize user input. By supplying SQL syntax such as “‘ or 0=0 #”, an attacker will be logged in as an authenticated user. The structure of Oempro has several URLs that control the privilege of the account. Using this trick on /member/, /client/ and /admin/ will allow the attacker to authenticate as multiple accounts, including an administrator.

    Email:          ' or 0=0 #
    Password:       password

3 – /member/settings_account.php Cleartext Password Disclosure

Once authenticated, legitimately or via SQL injection as listed above, the application sends the user’s password in cleartext on the ‘Settings – Account Information’ tab (/member/settings_account.php). The password is stored in a hidden field (FormValue_Password) and obscured visibly with asterisks to the end user.

[Original PoC removed]

4 – /client/campaign_track.php FormValue_SearchKeywords Variable SQL Injection

The campaign tracking page (/client/campaign_track.php) does not properly filter user-supplied input, allowing for arbitrary SQL syntax to be passed to the database.

5 – Cross-frame Scripting

As described in CVE-2004-2383, the Oempro application does not implement code to prevent Cross-frame scripting attacks. This can be used to construct phishing attacks to more convincingly steal user credentials. While this is a browser based vulnerability, applications can add a small amount of script code to ensure the window is not loaded via a frame.

Product Details:

Vendor: Octeth Technologies
Product: Oempro


Upgrade to version 4.

Disclosure Timeline:

2008-07-02: Vulnerability Discovered
2008-07-05: Disclosed to Vendor via [sales|press|security]
2008-07-05: security@ invalid. Sales #HZS-628697 opened automatically.
2008-07-07: CVE numbers assigned
2008-07-14: Vendor Acknowledgement from C.H.
2008-09-16: v4, said to fix issues, still not released
2008-10-05: Mail sent to C.H. asking for V4 release ETA
2008-11-22: v4 released, reportedly addresses issues
2008-12-01: Public Disclosure


This issue is a candidate for inclusion in the Common Vulnerabilities and Exposures (CVE) list (, which standardizes names for security problems. The CVE initiative has assigned CVE Candidate CVE-2008-3057 (cookie handling), CVE-2008-3058 (sql injection) and CVE-2008-3059 (password disclosure) to this issue.


OSVDB: .. 50324
XSS Information:
HttpOnly Cookie XSS Mitigation: