lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 10 Dec 2007 21:09:29 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, packet@...ketstormsecurity.org
Subject: Multiple vulnerabilities in BadBlue 2.72b


#######################################################################

                             Luigi Auriemma

Application:  BadBlue
              http://www.badblue.com
Versions:     <= 2.72b
Platforms:    Windows
Bugs:         A] PassThru buffer-overflow
              B] upload directory traversal
              C] path disclosure
Exploitation: remote
Date:         10 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


BadBlue is a commercial web server for sharing files easily.


#######################################################################

=======
2) Bugs
=======

---------------------------
A] PassThru buffer-overflow
---------------------------

When the PassThru command of ext.dll is invoked the BadBlue server
takes the rest of the URI received by the client and copies it in a
stack buffer of 4096 bytes using strcpy() and causing a buffer
overflow.


-----------------------------
B] upload directory traversal
-----------------------------

Using the upload feature is possible for an attacker to upload a
specific file outside the destination folder with also the possibility
of overwriting existent files, included ext.ini which contains all the
configuration of the server.


------------------
C] path disclosure
------------------

The full path of the webserver is visible when using the "?&browse="
parameter on an unexistent folder, useful in conjunction with bug B.


#######################################################################

===========
3) The Code
===========


A]
http://aluigi.org/poc/badbluebof.txt

  nc SERVER 80 -v -v < badbluebof.txt

B]
http://aluigi.org/testz/myhttpup.zip

  myhttpup http://SERVER/upload.dll file.txt ../../file.txt filedata0

C]
http://SERVER/blah/?&browse=


#######################################################################

======
4) Fix
======


No fix.
I was waiting a second mail from the developers but nothing after
almost two weeks.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ