Bugtraq mailing list archives
Re: BadBlue - Unauthorized Administrative Command Execution
From: ellipse <ellipse () cipherpunks com>
Date: Sat, 20 Jul 2002 15:54:11 +0000 (GMT)
Hi Matthew, [...]
Then an attack would be conducted that would add the "hd" virtual root and point it to C:\. This occurs because, even though the page content originated elsewhere, the request to submit the form originated from the client sitting on the BadBlue machine. http://localhost/hd/winnt/system32/cmd.exe?/c+echo+hello This will display "hello" to a console window if running BadBlue EE on WinNT after this exploit. http://localhost/hd/winnt/win.ini http://localhost/hd/windows/win.ini Have a look at your Win.ini from the web... :-D
Correct me if I'm wrong here, but what I'm reading this as is: 1) A page with a form POST method on a remote server is visited by a user on a system running the vulnerable BadBlue server software. 2) The form POST method executes the code previously mentioned, and adds a link that makes it possible for the user of the local system to view the contents of the drive through BadBlue. In this, it's possible for a local user to view the contents of files added to the BadBlue server with he privileges of the BadBlue server process. Question: Does this allow users to remotely view files via BadBlue as well? Cheers, ellipse
Current thread:
- BadBlue - Unauthorized Administrative Command Execution Matthew Murphy (Jul 20)
- Re: BadBlue - Unauthorized Administrative Command Execution ellipse (Jul 22)