BadBlue Remote Administrative Access Vulnerability I. Synopsis Affected Systems: * BadBlue 1.7 * BadBlue 2.0 * BadBlue 2.1 * BadBlue 2.2 Immune Systems: * BadBlue 2.3 NOTE: BadBlue 1.6 and prior may be impacted; these systems were not tested. Risk: High (Remote LocalSystem Compromise) Vendor URL: http://www.badblue.com/ Status: Fixed version is now available Download: http://www.badblue.com/down.htm * Windows 95/NT http://www.badblue.com/bb95.exe * Windows 98/2000/Me/XP http://www.badblue.com/bb98.exe II. Product Description "Run a web site on your own PC and share photos, movies, videos and music/MP3 files securely, free. BadBlue Personal Edition is much easier to use than a typical FTP server. Users can search or explore your shared folders... and domain-name support is also included." "BadBlue Enterprise Edition is the first to offer business file sharing... a complete, secure web server that shares Office files over the web: remote users only need browsers to view files (even Word, Excel and Access). And full-text search is also supported. Search, share, transfer files securely with colleagues..." (Quotes from http://www.badblue.com/) III. Vulnerability Description Among BadBlue's features is the ability to support ISAPI extensions. ISAPI provides the backbone for BadBlue's HTML-embedded scripting engine which powers most of the web-based administrative functionality. The engine attempts to restrict access to non-html files by requiring that 'ht' be the first letters of the target file's extension, and also requiring that requests to access '.hts' files are submitted by 127.0.0.1 and contain a proper 'Referer' header. This security feature is accomplished with a simple binary replace of the first two characters of the file extension. The two security checks are performed in an incorrect order, meaning that the first security check can inadvertantly bypass the latter. IV. Impact This vulnerability can be exploited to gain full administrative control of the server. Users running older releases are almost certainly impacted. The following URL: http://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.hts will fail, while the following URL: http://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.ats will succeed. Due to the security check's replacement of the 'a' with 'h', the URL points to a valid filename. However, because the header/origin check is attempted prior to the replacement, the match does not occur, and the request is allowed to continue. An example of this exploit is as follows: http://localhost/ext.dll?mfcisapicommand=loadpage&page=admin.ats&a0=add&a1=r oot&a2=%5C This adds '/root' as '\', revealing the server's primary volume. The attacker can then traverse the volume with the directory indexing feature of the server. V. Vendor Response Working Resources has released BadBlue 2.30, which fixes this vulnerability. BadBlue 2.3 also adds several other features. Users running internet-connected servers should install the new version as soon as possible: http://www.badblue.com/down.htm will work for Personal Edition users, and Enterprise edition users should contact Working Resources for an upgrade. -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .