#######################################################################
Luigi Auriemma
Application: BadBlue
http://www.badblue.com
Versions: <= 2.72b
Platforms: Windows
Bugs: A] PassThru buffer-overflow
B] upload directory traversal
C] path disclosure
Exploitation: remote
Date: 10 Dec 2007
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
BadBlue is a commercial web server for sharing files easily.
#######################################################################
When the PassThru command of ext.dll is invoked the BadBlue server
takes the rest of the URI received by the client and copies it in a
stack buffer of 4096 bytes using strcpy() and causing a buffer
overflow.
Using the upload feature is possible for an attacker to upload a
specific file outside the destination folder with also the possibility
of overwriting existent files, included ext.ini which contains all the
configuration of the server.
The full path of the webserver is visible when using the "?&browse="
parameter on an unexistent folder, useful in conjunction with bug B.
#######################################################################
A]
http://aluigi.org/poc/badbluebof.txt
nc SERVER 80 -v -v < badbluebof.txt
B]
http://aluigi.org/testz/myhttpup.zip
myhttpup http://SERVER/upload.dll file.txt …/…/file.txt filedata0
C]
http://SERVER/blah/?&browse=
#######################################################################
No fix.
I was waiting a second mail from the developers but nothing after
almost two weeks.
#######################################################################
Luigi Auriemma
http://aluigi.org