BadBlue Remote Administrative Access Vulnerability

I. Synopsis

Affected Systems:
    * BadBlue 1.7
    * BadBlue 2.0
    * BadBlue 2.1
    * BadBlue 2.2
Immune Systems:
    * BadBlue 2.3

NOTE: BadBlue 1.6 and prior may be impacted; these systems were not tested.

Risk: High (Remote LocalSystem Compromise)
Vendor URL: http://www.badblue.com/
Status: Fixed version is now available
Download: http://www.badblue.com/down.htm
    * Windows 95/NT
      http://www.badblue.com/bb95.exe
    * Windows 98/2000/Me/XP
      http://www.badblue.com/bb98.exe

II. Product Description

"Run a web site on your own PC and share photos, movies, videos and
music/MP3 files securely, free. BadBlue Personal Edition is much easier to
use than a typical FTP server. Users can search or explore your shared
folders... and domain-name support is also included."

"BadBlue Enterprise Edition is the first to offer business file sharing...
a complete, secure web server that shares Office files over the web: remote
users only need browsers to view files (even Word, Excel and Access). And
full-text search is also supported. Search, share, transfer files securely
with colleagues..."

(Quotes from http://www.badblue.com/)

III. Vulnerability Description

Among BadBlue's features is the ability to support ISAPI extensions.  ISAPI
provides the backbone for BadBlue's HTML-embedded scripting engine which
powers most of the web-based administrative functionality.  The engine
attempts to restrict access to non-html files by requiring that 'ht' be the
first letters of the target file's extension, and also requiring that
requests to access '.hts' files are submitted by 127.0.0.1 and contain a
proper 'Referer' header.

This security feature is accomplished with a simple binary replace of the
first two characters of the file extension.  The two security checks are
performed in an incorrect order, meaning that the first security check can
inadvertantly bypass the latter.

IV. Impact

This vulnerability can be exploited to gain full administrative control of
the server.  Users running older releases are almost certainly impacted. 
The following URL:

http://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.hts

will fail, while the following URL:

http://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.ats

will succeed.  Due to the security check's replacement of the 'a' with 'h',
the URL points to a valid filename.  However, because the header/origin
check is attempted prior to the replacement, the match does not occur, and
the request is allowed to continue.  An example of this exploit is as
follows:

http://localhost/ext.dll?mfcisapicommand=loadpage&page=admin.ats&a0=add&a1=r
oot&a2=%5C

This adds '/root' as '\', revealing the server's primary volume.  The
attacker can then traverse the volume with the directory indexing feature
of the server.

V. Vendor Response

Working Resources has released BadBlue 2.30, which fixes this
vulnerability.  BadBlue 2.3 also adds several other features.  Users
running internet-connected servers should install the new version as soon
as possible:

http://www.badblue.com/down.htm

will work for Personal Edition users, and Enterprise edition users should
contact Working Resources for an upgrade.

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .