SecurityvulnsSECURITYVULNS:DOC:18637Multiple vulnerabilities in BadBlue 2.72b
#######################################################################
Luigi Auriemma
Application: BadBlue
http://www.badblue.com
Versions: <= 2.72b
Platforms: Windows
Bugs: A] PassThru buffer-overflow
B] upload directory traversal
C] path disclosure
Exploitation: remote
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
BadBlue is a commercial web server for sharing files easily.
#######################################################################
=======
2) Bugs
A] PassThru buffer-overflow
When the PassThru command of ext.dll is invoked the BadBlue server
takes the rest of the URI received by the client and copies it in a
stack buffer of 4096 bytes using strcpy() and causing a buffer
overflow.
B] upload directory traversal
Using the upload feature is possible for an attacker to upload a
specific file outside the destination folder with also the possibility
of overwriting existent files, included ext.ini which contains all the
configuration of the server.
C] path disclosure
The full path of the webserver is visible when using the "?&browse="
parameter on an unexistent folder, useful in conjunction with bug B.
#######################################################################
===========
3) The Code
A]
http://aluigi.org/poc/badbluebof.txt
nc SERVER 80 -v -v < badbluebof.txt
B]
http://aluigi.org/testz/myhttpup.zip
myhttpup http://SERVER/upload.dll file.txt …/…/file.txt filedata0
C]
http://SERVER/blah/?&browse=
#######################################################################
======
4) Fix
No fix.
I was waiting a second mail from the developers but nothing after
almost two weeks.
#######################################################################
Luigi Auriemma
http://aluigi.org