TUCoPS :: Web :: Specific Sites :: bt888.txt

Best Buy Employee Toolkit Vulnerability 




Title: URL Parsing and Plain Text Password disclosure in Best Buy Employee 

Toolkit Software

Provided by: cm`



----------------

  Best Buy Employee Toolkit Interactive is a software program used 

nationally by Best Buy Terminal Systems. The software allows employees the 

ability to check multiple systems throughout the internal network. A URL 

Parsing vulnerability in the configuration screen could allow an attacker 

to execute a command shell interface and hijack certain network 

connections or read plain-text passwords.



-----------------

Impact: High

-----------------



Analysis:

 -URL Parsing

   By pressing CTRL+SHIFT within the Employee Toolkit software and 

clicking on the exit button, a logged in user is given access to the 

Toolkit's configuration screen. An area within the configuration screen 

allows a logged in user to enter a URL. There are no bounds checking on 

what is entered in the URL area and an attacker could use this to execute 

a local command shell or execute other programs locally stored.



 -Plain-text Password Disclosure

   Once an attacker has executed a local command shell, they then have 

access to the root directory which houses a batch file that remotely 

mounts the Store's central server. The batch file uses the 'net use' 

command to map the server's drive and holds the password for the 

administrator of the central server in plain text.



  By combining the trickery of both the URL Parsing vulnerability and the 

plain-text password disclosure an attacker could execute telnet to 

remotely log into the central server as the administrator.

  Finding the servers on the local area network is as easy as executing 

the 'net view' command at command shell. Another method for finding these 

servers is to open a page within the employee toolkit and pressing CTRL+P 

to bring up the printing interface. Choose to print the text to a file 

then click the network button. This will bring up all of the computers 

connected to the Best Buy network.



-----------------

Vendor Status:

-----------------



 05/05/2003 - Best Buy notified of vulnerability.

 06/12/2003 - Best Buy coordinates with IBM to release a fix; Patch 

ineffective.

 06/12/2003 - Best Buy notified of patch ineffectivness, I was told 

vulnerability was not a serious problem.

 07/27/2003 - Best Buy notified again of vulnerability and its impact.

 08/14/2003 - No Response from Best Buy.

 08/14/2003 - Public Disclosure.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH