Subject: [NEWS] Brown Orifice Netscape exploit is vulnerable itself
Date: Wed, 9 Aug 2000 22:57:09 +0200
Brown Orifice Netscape exploit is vulnerable itself
--------------------------------------------------------------------------------
SUMMARY
Brown Orifice HTTPD (BOHTTPD) is
"a web server and file sharing tool" that runs as a Java Applet in
Netscape Navigator. It actually uses a very serious vulnerability in
Netscape Navigator to successfully run a Trojan on users systems.
This 'tool' contains a security vulnerability that can be used to override
its settings. The tool was created as a safe proof of concept, but there
is a way to bypass its settings so that additional access can be obtained.
DETAILS
Vulnerable systems:
BOHTTPD version 0.1
Brumleve's demonstration page politely asks users to specify a directory
on their computer for public access. However, by specifying "\.." in HTTP
requests to the server, an attacker can navigate the server's file system
and view/download any files. For example,
http://your-ip-address:8080/C:/temp/\../
or
http://your-ip-address:8080/C:/temp/%5C../
(for Internet Explorer as a client)
will display the contents of the root directory of drive of the server's
computer.
This exposes users that try this 'harmless' demonstration to an outside
attack.
ADDITIONAL INFORMATION
The information has been provided by TAKAGI,
Hiromitsu.
========================================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.