BadBlue ext.dll mfcisapicommand Parameter Remote Overflow - Nessus
Critical Plugin ID: 17241This page contains detailed information about the BadBlue ext.dll mfcisapicommand Parameter Remote Overflow Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 17241
Name: BadBlue ext.dll mfcisapicommand Parameter Remote Overflow
Filename: badblue_extdll.dos.nasl
Vulnerability Published: 2005-02-25
This Plugin Published: 2005-03-01
Last Modification Time: 2018-11-15
Plugin Version: 1.22
Plugin Type: remote
Plugin Family: Web Servers
Dependencies:
http_version.nasl
Vulnerability Information
Severity: Critical
Vulnerability Published: 2005-02-25
Patch Published: 2007-03-26
CVE [?]: CVE-2005-0595
CPE [?]: N/A
Synopsis
The remote web server is prone to buffer overflow attacks.
Description
The remote host is running a version of BadBlue HTTP server that has a buffer overflow vulnerability in 'ext.dll', a module that handles HTTP requests. An unauthenticated, remote attacker can leverage this vulnerability by sending an HTTP request containing a 'mfcisapicommand' parameter with more than 250 chars to kill the web server and possibly execute code remotely with Administrator rights.
Solution
Upgrade to BadBlue 2.60.0 or later.
Public Exploits
Target Network Port(s): 80
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the BadBlue ext.dll mfcisapicommand Parameter Remote Overflow vulnerability:
- Metasploit: exploit/windows/http/badblue_ext_overflow
[BadBlue 2.5 EXT.dll Buffer Overflow] - Exploit-DB: exploits/windows/remote/16761.rb
[EDB-16761: BadBlue 2.5 - 'ext.dll' Remote Buffer Overflow (Metasploit)]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
| CVSS Base Score: | 10.0 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 8.3 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.3 (High) |
Go back to menu.
Plugin Source
This is the badblue_extdll.dos.nasl nessus plugin source code. This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description) {
script_id(17241);
script_version("1.22");
script_cve_id("CVE-2005-0595");
script_bugtraq_id(12673);
script_name(english:"BadBlue ext.dll mfcisapicommand Parameter Remote Overflow");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is prone to buffer overflow attacks." );
script_set_attribute(attribute:"description", value:
"The remote host is running a version of BadBlue HTTP server that has a
buffer overflow vulnerability in 'ext.dll', a module that handles HTTP
requests. An unauthenticated, remote attacker can leverage this
vulnerability by sending an HTTP request containing a
'mfcisapicommand' parameter with more than 250 chars to kill the web
server and possibly execute code remotely with Administrator rights." );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Feb/671" );
script_set_attribute(attribute:"solution", value:
"Upgrade to BadBlue 2.60.0 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'BadBlue 2.5 EXT.dll Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/01");
script_set_attribute(attribute:"patch_publication_date", value: "2007/03/26");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/25");
script_cvs_date("Date: 2018/11/15 20:50:25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english:"Detects MFCISAPICommand remote buffer overflow vulnerability in BadBlue");
script_category(ACT_MIXED_ATTACK);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80, embedded: 0);
banner = get_http_banner(port:port);
if (!banner || "BadBlue/" >!< banner) exit(0);
if(safe_checks())
{
vulnerable = egrep(pattern:"^Server: BadBlue/([0-1]\.|2\.[0-5][^0-9])", string:banner);
if (vulnerable) security_hole(port);
exit (0);
}
else {
if (http_is_dead(port:port)) exit(0);
# Send a malicious request.
req = string(
"GET /ext.dll?mfcisapicommand=",
crap(length:251, data:"A"),
"&page=index.htx",
"\r\n\r\n"
);
r = http_send_recv_buf(port: port, data: req);
# If the server's down, it's a problem.
if (http_is_dead(port:port)) security_hole(port);
}
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/badblue_extdll.dos.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\badblue_extdll.dos.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/badblue_extdll.dos.nasl
Go back to menu.
How to Run
Here is how to run the BadBlue ext.dll mfcisapicommand Parameter Remote Overflow as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Web Servers plugin family.
- On the right side table select BadBlue ext.dll mfcisapicommand Parameter Remote Overflow plugin ID 17241.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl badblue_extdll.dos.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a badblue_extdll.dos.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - badblue_extdll.dos.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state badblue_extdll.dos.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: See also:
- https://www.tenable.com/plugins/nessus/17241
- https://seclists.org/fulldisclosure/2005/Feb/671
- https://vulners.com/nessus/BADBLUE_EXTDLL.DOS.NASL
- 11554 - BadBlue ISAPI Extension .hts Crafted File Extension Request Authentication Bypass
- 31654 - Apache < 1.3.37 mod_rewrite LDAP Protocol URL Handling Overflow
- 31655 - Apache < 2.0.59 mod_rewrite LDAP Protocol URL Handling Overflow
- 31659 - Apache < 2.2.3 mod_rewrite LDAP Protocol URL Handling Overflow
- 11030 - Apache Chunked Encoding Remote Overflow
- 14771 - Apache <= 1.3.33 htpasswd Local Overflow
- 10918 - Apache-SSL < 1.3.23+1.46 i2d_SSL_SESSION Function SSL Client Certificate Overflow
- 15774 - CCProxy Logging Compoent HTTP GET Request Remote Overflow
- 22494 - ePolicy Orchestrator HTTP /spipe/pkg/ Source Header Remote Overflow
- 11923 - Microsoft FrontPage Server Extensions (fp30reg.dll) Debug Function Remote Overflow (MS03-051 / 813360)
- 144291 - IBM HTTP Server 7.0.0.0 < 7.0.0.33 / 8.0.0.0 < 8.0.0.9 / 8.5.0.0 < 8.5.5.2 Buffer Overflow (244199)
- 25149 - IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows
- 14843 - Icecast HTTP Header Processing Remote Overflow
- 10657 - MS01-023: Microsoft IIS 5.0 Malformed HTTP Printer Request Header Remote Buffer Overflow (953155) (uncredentialed check)
- 10116 - Microsoft IIS ISM.DLL HTR Request Remote Overflow
- 11028 - Microsoft IIS .HTR Filter Multiple Overflows (MS02-028)
- 11412 - Microsoft IIS WebDAV ntdll.dll Remote Overflow (MS03-007)
- 11068 - iPlanet Chunked Encoding Processing Remote Overflow
- 26057 - lighttpd mod_fastcgi HTTP Request Header Remote Overflow
- 18424 - MiniShare Webserver HTTP GET Request Remote Overflow
- 31786 - Apache mod_jk2 Host Header Multiple Fields Remote Overflow
- 11809 - mod_mylo for Apache mylo_log Logging Function HTTP GET Overflow
- 10888 - Apache mod_ssl i2d_SSL_SESSION Function SSL Client Certificate Overflow
- 11161 - Microsoft Data Access Components RDS Data Stub Remote Overflow
- 105359 - nginx < 1.13.3 Integer Overflow Vulnerability
- 73519 - nginx < 1.4.7 / 1.5.12 SPDY Heap Buffer Overflow
- 11664 - Microsoft Media Services ISAPI nsiislog.dll Multiple Overflows
- 11183 - Null httpd Content-Length Header Handling Remote Overflow
- 132726 - OpenSSL 1.0.2 < 1.0.2u Procedure Overflow Vulnerability
- 132725 - OpenSSL 1.1.1 < 1.1.1e-dev Procedure Overflow Vulnerability
- 54924 - IBM Tivoli Management Framework Endpoint addr URL Remote Buffer Overflow
- 34781 - Oracle WebLogic Server mod_wl Invalid Parameter Remote Overflow (1150354)
- 33932 - Oracle WebLogic Server mod_wl POST Request Remote Overflow
- 35374 - Oracle WebLogic Server Plug-in Remote Overflow (1166189)
- 10320 - Web Server Long URL Handling Remote Overflow DoS
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file badblue_extdll.dos.nasl version 1.22. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
