[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20071210210929.54dafe39.aluigi@autistici.org>
Date: Mon, 10 Dec 2007 21:09:29 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
packet@...ketstormsecurity.org
Subject: Multiple vulnerabilities in BadBlue 2.72b
#######################################################################
Luigi Auriemma
Application: BadBlue
http://www.badblue.com
Versions: <= 2.72b
Platforms: Windows
Bugs: A] PassThru buffer-overflow
B] upload directory traversal
C] path disclosure
Exploitation: remote
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
BadBlue is a commercial web server for sharing files easily.
#######################################################################
=======
2) Bugs
=======
---------------------------
A] PassThru buffer-overflow
---------------------------
When the PassThru command of ext.dll is invoked the BadBlue server
takes the rest of the URI received by the client and copies it in a
stack buffer of 4096 bytes using strcpy() and causing a buffer
overflow.
-----------------------------
B] upload directory traversal
-----------------------------
Using the upload feature is possible for an attacker to upload a
specific file outside the destination folder with also the possibility
of overwriting existent files, included ext.ini which contains all the
configuration of the server.
------------------
C] path disclosure
------------------
The full path of the webserver is visible when using the "?&browse="
parameter on an unexistent folder, useful in conjunction with bug B.
#######################################################################
===========
3) The Code
===========
A]
http://aluigi.org/poc/badbluebof.txt
nc SERVER 80 -v -v < badbluebof.txt
B]
http://aluigi.org/testz/myhttpup.zip
myhttpup http://SERVER/upload.dll file.txt ../../file.txt filedata0
C]
http://SERVER/blah/?&browse=
#######################################################################
======
4) Fix
======
No fix.
I was waiting a second mail from the developers but nothing after
almost two weeks.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists