Re: BadBlue - Unauthorized Administrative Command Execution

[ellipse <ellipse () cipherpunks com>]

Hi Matthew,

[...]

> Then an attack would be conducted that would add the "hd" virtual root and
> point it to C:\.
>
> This occurs because, even though the page content originated elsewhere,
> the request to submit the form originated from the client sitting on the
> BadBlue
> machine.
>
> http://localhost/hd/winnt/system32/cmd.exe?/c+echo+hello
>
> This will display "hello" to a console window if running BadBlue EE on WinNT
> after this exploit.
>
> http://localhost/hd/winnt/win.ini
> http://localhost/hd/windows/win.ini
>
> Have a look at your Win.ini from the web... :-D

Correct me if I'm wrong here, but what I'm reading this as is:

1) A page with a form POST method on a remote server is visited by a user
on a system running the vulnerable BadBlue server software.
2) The form POST method executes the code previously mentioned, and adds a
link that makes it possible for the user of the local system to view the
contents of the drive through BadBlue.

In this, it's possible for a local user to view the contents of files
added to the BadBlue server with he privileges of the BadBlue server
process.

Question:
Does this allow users to remotely view files via BadBlue as well?

Cheers,
ellipse