AOH :: HP Unsorted B :: BX1029.HTM

BadBlue 2.72b multiple vulnerabilities



Multiple vulnerabilities in BadBlue 2.72b
Multiple vulnerabilities in BadBlue 2.72b




#######################################################################

                             Luigi Auriemma

Application:  BadBlue
http://www.badblue.com 
Versions:     <= 2.72b
Platforms:    Windows
Bugs:         A] PassThru buffer-overflow
              B] upload directory traversal
              C] path disclosure
Exploitation: remote
Date:         10 Dec 2007
Author:       Luigi Auriemma
e-mail: aluigi@autistici.org 
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

==============1) Introduction
==============

BadBlue is a commercial web server for sharing files easily.


#######################################################################

======2) Bugs
======
---------------------------
A] PassThru buffer-overflow
---------------------------

When the PassThru command of ext.dll is invoked the BadBlue server
takes the rest of the URI received by the client and copies it in a
stack buffer of 4096 bytes using strcpy() and causing a buffer
overflow.


-----------------------------
B] upload directory traversal
-----------------------------

Using the upload feature is possible for an attacker to upload a
specific file outside the destination folder with also the possibility
of overwriting existent files, included ext.ini which contains all the
configuration of the server.


------------------
C] path disclosure
------------------

The full path of the webserver is visible when using the "?&browse="
parameter on an unexistent folder, useful in conjunction with bug B.


#######################################################################

==========3) The Code
==========

A]
http://aluigi.org/poc/badbluebof.txt 

  nc SERVER 80 -v -v < badbluebof.txt

B]
http://aluigi.org/testz/myhttpup.zip 

myhttpup http://SERVER/upload.dll file.txt ../../file.txt filedata0 

C]
http://SERVER/blah/?&browse 

#######################################################################

=====4) Fix
=====

No fix.
I was waiting a second mail from the developers but nothing after
almost two weeks.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.