SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Employee Toolkit (Best Buy) Vendors:   Best Buy
Best Buy Employee Toolkit Lets Local Users Execute Arbitrary Commands and Also Discloses Server Password
SecurityTracker Alert ID:  1007509
SecurityTracker URL:  http://securitytracker.com/id/1007509
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 15 2003
Impact:   Disclosure of authentication information, Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  

Description:   A vulnerability was reported in Best Buy's Employee Toolkit software. A local user can execute arbitrary commands on the system. A local user can view user passwords.

It is reported that a local user can enter a specially crafted URL into the configuration screen to execute arbitrary commands on the systems, gain command shell access, or execute programs on the system. The vulnerability is due to a flaw in parsing URLs, according to the report.

It is also reported that the system stores the 'net use' password (of the central server's administrator) in clear text in a file on the system. A local user can view the password.

The following notification timeline is provided:

05/05/2003 - Best Buy notified of vulnerability.
06/12/2003 - Best Buy coordinates with IBM to release a fix; Patch ineffective.
06/12/2003 - Best Buy notified of patch ineffectivness, I was told vulnerability was not a serious problem.
07/27/2003 - Best Buy notified again of vulnerability and its impact.
08/14/2003 - No Response from Best Buy.
08/14/2003 - Public Disclosure.

Impact:   A local user can execute commands on the system. A local user can view the passwrod for connecting to the centeral server (for the store) with administrative privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.bestbuy.com/ (Links to External Site)
Cause:   Access control error, Input validation error

Message History:   None.


 Source Message Contents

Subject:  Best Buy Employee Toolkit Vulnerability




Title: URL Parsing and Plain Text Password disclosure in Best Buy Employee 
Toolkit Software
Provided by: cm`

----------------
  Best Buy Employee Toolkit Interactive is a software program used 
nationally by Best Buy Terminal Systems. The software allows employees the 
ability to check multiple systems throughout the internal network. A URL 
Parsing vulnerability in the configuration screen could allow an attacker 
to execute a command shell interface and hijack certain network 
connections or read plain-text passwords.

-----------------
Impact: High
-----------------

Analysis:
 -URL Parsing
   By pressing CTRL+SHIFT within the Employee Toolkit software and 
clicking on the exit button, a logged in user is given access to the 
Toolkit's configuration screen. An area within the configuration screen 
allows a logged in user to enter a URL. There are no bounds checking on 
what is entered in the URL area and an attacker could use this to execute 
a local command shell or execute other programs locally stored.

 -Plain-text Password Disclosure
   Once an attacker has executed a local command shell, they then have 
access to the root directory which houses a batch file that remotely 
mounts the Store's central server. The batch file uses the 'net use' 
command to map the server's drive and holds the password for the 
administrator of the central server in plain text.

  By combining the trickery of both the URL Parsing vulnerability and the 
plain-text password disclosure an attacker could execute telnet to 
remotely log into the central server as the administrator.
  Finding the servers on the local area network is as easy as executing 
the 'net view' command at command shell. Another method for finding these 
servers is to open a page within the employee toolkit and pressing CTRL+P 
to bring up the printing interface. Choose to print the text to a file 
then click the network button. This will bring up all of the computers 
connected to the Best Buy network.

-----------------
Vendor Status:
-----------------

 05/05/2003 - Best Buy notified of vulnerability.
 06/12/2003 - Best Buy coordinates with IBM to release a fix; Patch 
ineffective.
 06/12/2003 - Best Buy notified of patch ineffectivness, I was told 
vulnerability was not a serious problem.
 07/27/2003 - Best Buy notified again of vulnerability and its impact.
 08/14/2003 - No Response from Best Buy.
 08/14/2003 - Public Disclosure.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC