Subject: [NEWS] Brown Orifice Netscape exploit is vulnerable itself Date: Wed, 9 Aug 2000 22:57:09 +0200 Brown Orifice Netscape exploit is vulnerable itself -------------------------------------------------------------------------------- SUMMARY Brown Orifice HTTPD (BOHTTPD) is "a web server and file sharing tool" that runs as a Java Applet in Netscape Navigator. It actually uses a very serious vulnerability in Netscape Navigator to successfully run a Trojan on users systems. This 'tool' contains a security vulnerability that can be used to override its settings. The tool was created as a safe proof of concept, but there is a way to bypass its settings so that additional access can be obtained. DETAILS Vulnerable systems: BOHTTPD version 0.1 Brumleve's demonstration page politely asks users to specify a directory on their computer for public access. However, by specifying "\.." in HTTP requests to the server, an attacker can navigate the server's file system and view/download any files. For example, http://your-ip-address:8080/C:/temp/\../ or http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer as a client) will display the contents of the root directory of drive of the server's computer. This exposes users that try this 'harmless' demonstration to an outside attack. ADDITIONAL INFORMATION The information has been provided by TAKAGI, Hiromitsu. ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.