[NT] BadBlue XSS Vulnerabilities / Filesharing Server Worm
From: support@securiteam.comDate: 03/03/02
- Previous message: support@securiteam.com: "[NEWS] Cisco Express Forwarding Leaks Packet Information"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 3 Mar 2002 22:33:43 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
BadBlue XSS Vulnerabilities / Filesharing Server Worm
------------------------------------------------------------------------
SUMMARY
<http://www.badblue.com/> BadBlue is the technology behind Working
Resources Inc.'s product line with the same name and which, amongst other
things, also powers Deerfield.com's D2Gfx file sharing community. A cross
site scripting vulnerability in the product has been found, that would
allow a remote attackers to cause the product to insert malicious code
(HTML and/or JavaScript) into existing web pages causing it to look as if
it were provided by the server.
DETAILS
Vulnerable:
- BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4
- BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP
- BadBlue Enterprise Edition (v1.5.?) for Win95/NT4
- BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP
- Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for
Win9x/NT/2000/ME/XP
Immune:
- BadBlue v1.6.1 Beta
The BadBlue server technology does not adequately validate and filter URL
input from untrustworthy sources. This can be abused to create a malicious
link to the server containing arbitrary script code. When a legitimate
user browses the malicious link, the script code will be executed in the
user's browser. Extending on this problem, it is possible for a remote
attacker to gain control of any/all machines performing searches on the
network through a combination of this problem and a weak authentication
scheme.
Cross site scripting example:
This problem is made worse because it is also found in the numerous
Solution:
ADDITIONAL INFORMATION
The information has been provided by
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
http://server/
administrative scripts coming with the server, which do not filter URL
input correctly either. The problem here is not so much that script code
can be executed in local pages, since there is no real security hazard
there. However, these scripts can be used to insert script code into
variables that are displayed when other users on the filesharing network
search the local machine for files. This will execute the script in the
browser of those (remote) users as well. Since the server only checks the
(local) IP used to authenticate a user as the server admin, this script
could well be used to execute commands on remote machines running BadBlue.
A quick piece of script we wrote as a proof of concept was able to spread
to remote machines doing a search (no other user-interaction required!),
create a user account on the target server and "phone home" the details
and hide itself, ready to spread to a !
Vendor has been notified. BadBlue v1.6.1 Beta has recently been released
which fixes several, but not all, occurrences of XSS in BadBlue. Users are
encouraged to upgrade to this version because it fixes another security
problem in the software (as described in our advisory
sns2k2-badblue7-adv), but are advised to disable all scripting while
running BadBlue.
<mailto:vuln-dev@labs.secureance.com> Strumpf Noir Society.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... BadBlue is the technology
behind Working ... - BadBlue Personal Edition for Win98/2000/ME/XP ... attacks
in the past. ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerability itself
lies in the way MFC's ISAPI ... Resources' BadBlue PWS. ... Response Center
within minutes of this e-mail from the ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... BadBlue is the technology
behind Working ... The attacks themselves consist of administrative command execution through
... abused in the form of a resource exhaustion attack. ... (Securiteam)
... BadBlue File Viewing Vulnerability ... The following security advisory
is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
... code of PHP files (and download DLLs) by issuing a special HTTP request. ...
(Securiteam)
... The BadBlue server has in the past been found vulnerable to several directory ...
combination out of urls to prevent the directory traversal attacks described. ... BadBlue
Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP ... (Bugtraq)
