[NT] Three New BadBlue Vulnerabilities
From: support@securiteam.comDate: 07/18/02
- Previous message: support@securiteam.com: "[NT] Lil'HTTP Pbcgi.cgi XSS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 18 Jul 2002 07:40:11 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Three New BadBlue Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Three new vulnerabilities have been found in BadBlue, a denial of service,
insecurity in password storage, and a file disclosure vulnerability that
could allow viewing of the password file.
DETAILS
Invalid GET Request Vulnerability
By sending a specially crafted GET request (specifically, one with no
filename component) it is possible to cause the server to stop handling
further requests. The administrator must fully exit and manually restart
the server to resume normal operation:
GET HTTP/1.0
Some servers withstood this, but balked at a similar request:
GET HTTP/1.0
The only difference here being two spaces instead of one.
Malformed Escaping Invalid Byte Vulnerability
By sending a malformed version of an HTTP-escaped NULL byte ("%00")
BadBlue can be forced to return the source code of the desired file (or
the binary content if the file is a binary). This vulnerability can be
used to read the contents of EXT.INI, which stores BadBlue's configuration
data, including any users or Access Control Lists (ACLs) on the server and
the passwords for any such data, as well. The attacker simply appends ".%
00.txt" to the filename. BadBlue appears to strip spaces after
HTTP-escaping, but does this after null-byte filtering has already been
applied, causing this specially designed request to bypass the filter:
GET /ext.ini.% 00.txt HTTP/1.0
Will reveal the contents of the BadBlue configuration file. If the server
is configured to allow uploads, but not to allow read/execute access
without a password, this can be used to break the password protection.
Un-encrypted Password Vulnerability
This vulnerability involves the password storage in the aforementioned
ext.ini file. The vulnerability allows a local user with read access to
the configuration file to see any passwords for secured resources or user
accounts. BadBlue stores the passwords with no encryption at all, meaning
that simply opening the file is sufficient for password theft. Combined
with the above vulnerability, this enables a remote user to read the
passwords of any BadBlue server.
ADDITIONAL INFORMATION
The information has been provided by <mailto:mattmurphy@kc.rr.com>
Matthew Murphy.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Lil'HTTP Pbcgi.cgi XSS Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
