[26248] in bugtraq
Re: BadBlue - Unauthorized Administrative Command Execution
daemon@ATHENA.MIT.EDU (ellipse)
Mon Jul 22 12:11:53 2002
Date: Sat, 20 Jul 2002 15:54:11 +0000 (GMT)
From: ellipse <ellipse@cipherpunks.com>
To: Matthew Murphy <mattmurphy@kc.rr.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <005a01c2300a$60848920$e62d1c41@kc.rr.com>
Message-ID: <20020720155000.J10597-100000@phoenix.bravozulu.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hi Matthew,
[...]
> Then an attack would be conducted that would add the "hd" virtual root and
> point it to C:\.
>
> This occurs because, even though the page content originated elsewhere,
> the request to submit the form originated from the client sitting on the
> BadBlue
> machine.
>
> http://localhost/hd/winnt/system32/cmd.exe?/c+echo+hello
>
> This will display "hello" to a console window if running BadBlue EE on WinNT
> after this exploit.
>
> http://localhost/hd/winnt/win.ini
> http://localhost/hd/windows/win.ini
>
> Have a look at your Win.ini from the web... :-D
Correct me if I'm wrong here, but what I'm reading this as is:
1) A page with a form POST method on a remote server is visited by a user
on a system running the vulnerable BadBlue server software.
2) The form POST method executes the code previously mentioned, and adds a
link that makes it possible for the user of the local system to view the
contents of the drive through BadBlue.
In this, it's possible for a local user to view the contents of files
added to the BadBlue server with he privileges of the BadBlue server
process.
Question:
Does this allow users to remotely view files via BadBlue as well?
Cheers,
ellipse
