[NEWS] URL Parsing and Plain Text Password disclosure in Best Buy Employee Toolkit Software

From: SecuriTeam (support_at_securiteam.com)
Date: 08/24/03

  • Next message: SecuriTeam: "[NT] Remote DoS in Blubster"
    To: list@securiteam.com
    Date: 24 Aug 2003 16:52:21 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      URL Parsing and Plain Text Password disclosure in Best Buy Employee
    Toolkit Software
    ------------------------------------------------------------------------

    SUMMARY

    Best Buy Employee Toolkit Interactive is a software program used
    nationally by Best Buy Terminal Systems. The software allows employees the
    ability to check multiple systems throughout the internal network. A URL
    Parsing vulnerability in the configuration screen could allow an attacker
    to execute a command shell interface and hijack certain network
    connections or read plain-text passwords.

    DETAILS

    URL Parsing
    By pressing CTRL+SHIFT within the Employee Toolkit software and clicking
    on the exit button, a logged in user is given access to the Toolkit's
    configuration screen. An area within the configuration screen allows a
    logged in user to enter a URL. There are no bounds checking on what is
    entered in the URL area and an attacker could use this to execute a local
    command shell or execute other programs locally stored.

    Plain-text Password Disclosure
    Once an attacker has executed a local command shell, they then have access
    to the root directory that houses a batch file that remotely mounts the
    Store's central server. The batch file uses the 'net use' command to map
    the server's drive and holds the password for the administrator of the
    central server in plain text.

    By combining the trickery of both the URL Parsing vulnerability and the
    plain-text password disclosure, an attacker could execute telnet to
    remotely log into the central server as the administrator.

    Finding the servers on the local area network is as easy as executing the
    'net view' command at command shell. Another method for finding these
    servers is to open a page within the employee toolkit and pressing CTRL+P
    to bring up the printing interface. Choose to print the text to a file
    then click the network button. This will bring up all of the computers
    connected to the Best Buy network.

    Vendor Status:
    05/05/2003 - Best Buy notified of vulnerability.
    06/12/2003 - Best Buy coordinates with IBM to release a fix; Patch
    ineffective.
    06/12/2003 - Best Buy notified of patch ineffectiveness, I was told
    vulnerability was not a serious problem.
    07/27/2003 - Best Buy notified again of vulnerability and its impact.
    08/14/2003 - No Response from Best Buy.
    08/14/2003 - Public Disclosure.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cmthemc@yahoo.com> cm`.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Remote DoS in Blubster"

    Relevant Pages

    • [NT] Multiple Vendor Insecure use of CreateProcess()
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Improper use of Windows API command CreateProcess allows attackers to ... until a module is encountered to execute. ... This creates a scenario whereby arbitrary code could be executed. ...
      (Securiteam)
    • [NT] Switch Off Multiple Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Stack-based Buffer Overflow: ... execute arbitrary code on the remote system - possibly with SYSTEM ... boundaries until the ecx register reaches zero (where the ecx was the ...
      (Securiteam)
    • [UNIX] Open Webmail Remote Command Execution (userstat.pl)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote attacker can run arbitrary commands with the web ... The vulnerability was discovered in an obsolete script named userstat.pl ... commands an attacker would want to execute. ...
      (Securiteam)
    • [UNIX] xloadimage Multiple Vulnerabilities (Buffer Overflow, Command Execution)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... to execute arbitrary commands via malformed images. ... Multiple buffer overflow in xloadimage allow remote attackers to execute ... Under Linux the buffer overflows allow remote attackers to execute ...
      (Securiteam)