badblue052003.txt

`BadBlue Remote Administrative Access Vulnerability  
  
I. Synopsis  
  
Affected Systems:  
* BadBlue 1.7  
* BadBlue 2.0  
* BadBlue 2.1  
* BadBlue 2.2  
Immune Systems:  
* BadBlue 2.3  
  
NOTE: BadBlue 1.6 and prior may be impacted; these systems were not tested.  
  
Risk: High (Remote LocalSystem Compromise)  
Vendor URL: http://www.badblue.com/  
Status: Fixed version is now available  
Download: http://www.badblue.com/down.htm  
* Windows 95/NT  
http://www.badblue.com/bb95.exe  
* Windows 98/2000/Me/XP  
http://www.badblue.com/bb98.exe  
  
II. Product Description  
  
"Run a web site on your own PC and share photos, movies, videos and  
music/MP3 files securely, free. BadBlue Personal Edition is much easier to  
use than a typical FTP server. Users can search or explore your shared  
folders... and domain-name support is also included."  
  
"BadBlue Enterprise Edition is the first to offer business file sharing...  
a complete, secure web server that shares Office files over the web: remote  
users only need browsers to view files (even Word, Excel and Access). And  
full-text search is also supported. Search, share, transfer files securely  
with colleagues..."  
  
(Quotes from http://www.badblue.com/)  
  
III. Vulnerability Description  
  
Among BadBlue's features is the ability to support ISAPI extensions. ISAPI  
provides the backbone for BadBlue's HTML-embedded scripting engine which  
powers most of the web-based administrative functionality. The engine  
attempts to restrict access to non-html files by requiring that 'ht' be the  
first letters of the target file's extension, and also requiring that  
requests to access '.hts' files are submitted by 127.0.0.1 and contain a  
proper 'Referer' header.  
  
This security feature is accomplished with a simple binary replace of the  
first two characters of the file extension. The two security checks are  
performed in an incorrect order, meaning that the first security check can  
inadvertantly bypass the latter.  
  
IV. Impact  
  
This vulnerability can be exploited to gain full administrative control of  
the server. Users running older releases are almost certainly impacted.   
The following URL:  
  
http://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.hts  
  
will fail, while the following URL:  
  
http://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.ats  
  
will succeed. Due to the security check's replacement of the 'a' with 'h',  
the URL points to a valid filename. However, because the header/origin  
check is attempted prior to the replacement, the match does not occur, and  
the request is allowed to continue. An example of this exploit is as  
follows:  
  
http://localhost/ext.dll?mfcisapicommand=loadpage&page=admin.ats&a0=add&a1=r  
oot&a2=%5C  
  
This adds '/root' as '\', revealing the server's primary volume. The  
attacker can then traverse the volume with the directory indexing feature  
of the server.  
  
V. Vendor Response  
  
Working Resources has released BadBlue 2.30, which fixes this  
vulnerability. BadBlue 2.3 also adds several other features. Users  
running internet-connected servers should install the new version as soon  
as possible:  
  
http://www.badblue.com/down.htm  
  
will work for Personal Edition users, and Enterprise edition users should  
contact Working Resources for an upgrade.  
  
--------------------------------------------------------------------  
mail2web - Check your email from the web at  
http://mail2web.com/ .  
  
  
`