Multiple vulnerabilities in BadBlue 2.72b

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, packet@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Multiple vulnerabilities in BadBlue 2.72b
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Mon, 10 Dec 2007 21:09:29 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#######################################################################

                             Luigi Auriemma

Application:  BadBlue
              http://www.badblue.com
Versions:     <= 2.72b
Platforms:    Windows
Bugs:         A] PassThru buffer-overflow
              B] upload directory traversal
              C] path disclosure
Exploitation: remote
Date:         10 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


BadBlue is a commercial web server for sharing files easily.


#######################################################################

=======
2) Bugs
=======

---------------------------
A] PassThru buffer-overflow
---------------------------

When the PassThru command of ext.dll is invoked the BadBlue server
takes the rest of the URI received by the client and copies it in a
stack buffer of 4096 bytes using strcpy() and causing a buffer
overflow.


-----------------------------
B] upload directory traversal
-----------------------------

Using the upload feature is possible for an attacker to upload a
specific file outside the destination folder with also the possibility
of overwriting existent files, included ext.ini which contains all the
configuration of the server.


------------------
C] path disclosure
------------------

The full path of the webserver is visible when using the "?&browse="
parameter on an unexistent folder, useful in conjunction with bug B.


#######################################################################

===========
3) The Code
===========


A]
http://aluigi.org/poc/badbluebof.txt

  nc SERVER 80 -v -v < badbluebof.txt

B]
http://aluigi.org/testz/myhttpup.zip

  myhttpup http://SERVER/upload.dll file.txt ../../file.txt filedata0

C]
http://SERVER/blah/?&browse=


#######################################################################

======
4) Fix
======


No fix.
I was waiting a second mail from the developers but nothing after
almost two weeks.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Prev by Date: Multiple vulnerabilities in BarracudaDrive 3.7.2
Next by Date: Filesystem access in DOSBox 0.72
Previous by thread: Multiple vulnerabilities in BarracudaDrive 3.7.2
Next by thread: Filesystem access in DOSBox 0.72
Index(es):
- Date
- Thread