exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

badblue052003.txt

badblue052003.txt
Posted May 23, 2003
Authored by Matthew Murphy

BadBlue web server versions 2.2 and below have a vulnerability that allows remote attackers to gain administrative control of a server. The engine attempts to restrict access to non-html files by requiring that 'ht' be the first letters of the target file's extension, and also requiring that requests to access '.hts' files are submitted by 127.0.0.1 and contain a proper 'Referer' header. This security feature is accomplished with a simple binary replace of the first two characters of the file extension. The two security checks are performed in an incorrect order, meaning that the first security check can inadvertently bypass the latter.

tags | exploit, remote, web
SHA-256 | f852c3fef86aa05736d86e2685e0f3081337c1845300cb0286f034f7f66f44f0

badblue052003.txt

Change Mirror Download
BadBlue Remote Administrative Access Vulnerability

I. Synopsis

Affected Systems:
* BadBlue 1.7
* BadBlue 2.0
* BadBlue 2.1
* BadBlue 2.2
Immune Systems:
* BadBlue 2.3

NOTE: BadBlue 1.6 and prior may be impacted; these systems were not tested.

Risk: High (Remote LocalSystem Compromise)
Vendor URL: http://www.badblue.com/
Status: Fixed version is now available
Download: http://www.badblue.com/down.htm
* Windows 95/NT
http://www.badblue.com/bb95.exe
* Windows 98/2000/Me/XP
http://www.badblue.com/bb98.exe

II. Product Description

"Run a web site on your own PC and share photos, movies, videos and
music/MP3 files securely, free. BadBlue Personal Edition is much easier to
use than a typical FTP server. Users can search or explore your shared
folders... and domain-name support is also included."

"BadBlue Enterprise Edition is the first to offer business file sharing...
a complete, secure web server that shares Office files over the web: remote
users only need browsers to view files (even Word, Excel and Access). And
full-text search is also supported. Search, share, transfer files securely
with colleagues..."

(Quotes from http://www.badblue.com/)

III. Vulnerability Description

Among BadBlue's features is the ability to support ISAPI extensions. ISAPI
provides the backbone for BadBlue's HTML-embedded scripting engine which
powers most of the web-based administrative functionality. The engine
attempts to restrict access to non-html files by requiring that 'ht' be the
first letters of the target file's extension, and also requiring that
requests to access '.hts' files are submitted by 127.0.0.1 and contain a
proper 'Referer' header.

This security feature is accomplished with a simple binary replace of the
first two characters of the file extension. The two security checks are
performed in an incorrect order, meaning that the first security check can
inadvertantly bypass the latter.

IV. Impact

This vulnerability can be exploited to gain full administrative control of
the server. Users running older releases are almost certainly impacted.
The following URL:

http://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.hts

will fail, while the following URL:

http://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.ats

will succeed. Due to the security check's replacement of the 'a' with 'h',
the URL points to a valid filename. However, because the header/origin
check is attempted prior to the replacement, the match does not occur, and
the request is allowed to continue. An example of this exploit is as
follows:

http://localhost/ext.dll?mfcisapicommand=loadpage&page=admin.ats&a0=add&a1=r
oot&a2=%5C

This adds '/root' as '\', revealing the server's primary volume. The
attacker can then traverse the volume with the directory indexing feature
of the server.

V. Vendor Response

Working Resources has released BadBlue 2.30, which fixes this
vulnerability. BadBlue 2.3 also adds several other features. Users
running internet-connected servers should install the new version as soon
as possible:

http://www.badblue.com/down.htm

will work for Personal Edition users, and Enterprise edition users should
contact Working Resources for an upgrade.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close