When the PassThru command of ext.dll is invoked the BadBlue server
takes the rest of the URI received by the client and copies it in a
stack buffer of 4096 bytes using strcpy() and causing a buffer
overflow.
Using the upload feature is possible for an attacker to upload a
specific file outside the destination folder with also the possibility
of overwriting existent files, included ext.ini which contains all the
configuration of the server.
#######################################################################
Luigi Auriemma
Application: BadBlue
http://www.badblue.com
Versions: <= 2.72b
Platforms: Windows
Bugs: A] PassThru buffer-overflow
B] upload directory traversal
C] path disclosure
Exploitation: remote
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
BadBlue is a commercial web server for sharing files easily.
#######################################################################
=======
2) Bugs
=======
---------------------------
A] PassThru buffer-overflow
---------------------------
When the PassThru command of ext.dll is invoked the BadBlue server
takes the rest of the URI received by the client and copies it in a
stack buffer of 4096 bytes using strcpy() and causing a buffer
overflow.
-----------------------------
B] upload directory traversal
-----------------------------
Using the upload feature is possible for an attacker to upload a
specific file outside the destination folder with also the possibility
of overwriting existent files, included ext.ini which contains all the
configuration of the server.
------------------
C] path disclosure
------------------
The full path of the webserver is visible when using the "?&browse="
parameter on an unexistent folder, useful in conjunction with bug B.
#######################################################################
===========
3) The Code
===========
A]
http://aluigi.org/poc/badbluebof.txt
nc SERVER 80 -v -v < badbluebof.txt
B]
http://aluigi.org/testz/myhttpup.zip
myhttpup http://SERVER/upload.dll file.txt ../../file.txt filedata0
C]
http://SERVER/blah/?&browse=
#######################################################################
======
4) Fix
======
No fix.
I was waiting a second mail from the developers but nothing after
almost two weeks.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
[ reply ]