lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: mattmurphy at kc.rr.com (Matthew Murphy)
Subject: Three BadBlue Vulnerabilities

Advisory: Working Resources BadBlue Multiple Vulnerabilities

Issue: Three vulnerabilities; a denial of service, an insecurity in password
storage, and a file disclosure vulnerability that could allow viewing of the
password file.

Risk: Critical

SecurityFocus: "Working Resources BadBlue Invalid Get Request Denial of
Service Vulnerability" describes one of these issues.

Invalid GET Request Vulnerability
----------------------------------

By sending a specially crafted GET request (specifically, one with no
filename component) it is possible to cause the server to stop handling
further requests.  The administrator must fully exit and manually restart
the server to resume normal operation:

GET HTTP/1.0

Some servers withstood this, but balked at a similar request:

GET  HTTP/1.0

The only difference here being two spaces instead of one.

Malformed Escaping Invalid Byte Vulnerability
-----------------------------------------------

By sending a malformed version of an HTTP-escaped NULL byte ("%00") BadBlue
can be forced to return the source code of the desired file (or the binary
content if the file is a binary).  This vulnerability can be used to read
the contents of EXT.INI, which stores BadBlue's configuration data,
including any users or Access Control Lists (ACLs) on the server and the
passwords for any such data, as well.  The attacker simply appends ".%
00.txt" to the filename.  BadBlue appears to strip spaces after
HTTP-escaping, but does this after null-byte filtering has already been
applied, causing this specially designed request to bypass the filter:

GET /ext.ini.% 00.txt HTTP/1.0

Will reveal the contents of the BadBlue configuration file.  If the server
is configured to allow uploads, but not to allow read/execute access without
a password, this can be used to break the password protection.

Un-encrypted Password Vulnerability
--------------------------------------

This vulnerability involves the password storage in the aforementioned
ext.ini file.  The vulnerability allows a local user with read access to the
configuration file to see any passwords for secured resources or user
accounts.  BadBlue stores the passwords with no encryption at all, meaning
that simply opening the file is sufficient for password theft.  Combined
with the above vulnerability, this enables a remote user to read the
passwords of any BadBlue server.

Powered by blists - more mailing lists