[NEWS] BadBlue Contains Multiple Security Vulnerabilities

From: support@securiteam.com
Date: 01/24/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 24 Jan 2002 22:50:11 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  BadBlue Contains Multiple Security Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://www.badblue.com/> BadBlue is the technology behind Working
Resources Inc.'s product line with the same name and which, amongst other
things, also powers Deerfield.com's D2Gfx file sharing community. The
BadBlue technology suffers from multiple vulnerabilities which allow a
resource exhaustion attack to be executed against the server and which
could be abused to obtain read access to any file and to execute system
commands on the target host.

DETAILS

Vulnerable:
Issue 1:
 - BadBlue Enterprise Edition (v1.5.?) for Win9x/NT/2000/ME/XP
Issue 2:
 - BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4
 - BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP
 - BadBlue Enterprise Edition (v1.5.?) for Win95/NT4
 - BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP
 - Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for
Win9x/NT/2000/ME/XP

When the going goes wrong, part 1:
BadBlue's main purposes are web serving and peer-to-peer file sharing. Due
to configuration issues between these functionalities, it is possible to
defeat the server's authentication schemes to execute commands on the
system. Three different approaches have been found to easily circumvent
BadBlue's ip-based authentication. For these attacks to work, the attacker
will need to have upload access to either a shared or a virtual directory
on the target system, or has to trick the system owner into putting his
files in such a directory for him.

Of all tested systems only BadBlue EE seems to include this upload
functionality and as such is the only system directly vulnerable to these
attacks. We feel however that these vulnerabilities represent certain
implementation issues in the whole of the product line. These will be
looked into by Working Resources Inc. in the next release of their
product.

The attacks themselves consist of administrative command execution through
PHP or CGI-equivalent scripting, administrative command execution through
HTML tags, and system command execution through MS Word macros.

When the going goes wrong, part 2:
BadBlue includes the ability to serve trans-coded MS Office document data
over the web through a number of scripts/templates. More specifically, the
server is compatible with MS Word, MS Excel, and MS Access. Due to two
problems found to be shared in the accompanying scripts doc.htx, xls.htx,
and mdb.htx however, it is possible to remotely spawn multiple instances
of mentioned MS Office applications on the target system. This could be
abused in the form of a resource exhaustion attack. In addition, there
exists a directory traversal attack in the parsers for these documents,
which could allow an attacker read access to any file on the target
system. All systems tested (BadBlue as well as D2Gfx) were vulnerable to
these problems.

Vendor status:
Vendor has been notified and has verified the above issues. Currently a
new version of the BadBlue software is in the making; however no release
date for this was available at this time.
Users are encouraged to upgrade as soon as the new BadBlue release comes
available.

Workarounds:
1) Do not allow uploads to directories that can be accessed from the
server. This means virtual as well as shared directories.

2) If you have no use for the MS Office document sharing functions of
BadBlue, delete/rename/replace the following files: doc.htx, xls.htx and
mdb.htx.

3) If you do share MS Office documents through BadBlue, share them as
single files (meaning: do not select the "Share all files in this folder
(*.*)" option.

4) Limit the number of IPs to which your BadBlue server is accessible to
as few as possible through the "Restrict access by IP address" menu under
the "Advanced web server functions".

A possible fifth recommendation would be to disable IRC sharing. This can
be done in BadBlue's "Set your searching options" menu. Although not a
security issue per se, this feature is enabled by default in the BadBlue
server installation (not in the D2Gfx version btw, which uses an older
version of the BadBlue technology) and, besides some information
disclosure, makes life quite a lot easier for anyone trying to find
potential targets. Alternatives will be included in the next BadBlue
release.

References:
Full advisories available from <http://labs.secureance.com>
http://labs.secureance.com:
sns2k2-badblue2-adv: "BadBlue Scripting Directory Traversal
Vulnerability"
sns2k2-badblue3-adv: "BadBlue Extensions Authentication Bypassing
Vulnerability"
sns2k2-badblue4-adv: "BadBlue Scripting Resource Exhaustion
Vulnerability"
sns2k2-badblue5-adv: "BadBlue HTML Tag Command Execution Vulnerability"
sns2k2-badblue6-adv: "BadBlue Macro Execution Vulnerability"

ADDITIONAL INFORMATION

The information has been provided by
<mailto:vuln-dev@labs.secureance.com> Strumpf Noir Society.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages