[NT] BadBlue Directory Traversal Vulnerability (./ Removal)

From: support@securiteam.com
Date: 03/04/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon,  4 Mar 2002 09:23:01 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  BadBlue Directory Traversal Vulnerability (./ Removal)
------------------------------------------------------------------------

SUMMARY

 <http://www.badblue.com> BadBlue is the technology behind Working
Resources Inc.'s product line with the same name and which, amongst other
things, also powers Deerfield.com's D2Gfx file sharing community. A
security vulnerability in the product allows attackers to access files
that would otherwise be inaccessible using a directory traversal attack.

DETAILS

Vulnerable systems:
 - BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4
 - BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP
 - BadBlue Enterprise Edition (v1.5.?) for Win95/NT4
 - BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP
 - BadBlue Personal Edition (v1.6 Beta) for Win95/NT4
 - BadBlue Personal Edition (v1.6 Beta) for Win98/2000/ME/XP
 - BadBlue Enterprise Edition (v1.6 Beta) for Win95/NT4
 - BadBlue Enterprise Edition (v1.6 Beta) for Win98/2000/ME/XP

 - Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for
Win9x/NT/2000/ME/XP

Earlier versions were already found vulnerable to other directory
traversal attacks.

Immune systems:
BadBlue version 1.6.1

The BadBlue server has been vulnerable to several directory traversal
attacks in the past. One of these was the "regular" double-dot traversal
attack. Another one was described in the earlier advisory
sns2k2-badblue2-adv, entitled "BadBlue Scripting Directory Traversal
Vulnerability".
Working Resources Inc. has applied fixes for both problems; however these
can easily be circumvented.

The problem lies in the fact that the BadBlue server filters the "./"
combination out of URLs to prevent the directory traversal attacks
described. In doing so however, it leaves open a window of exploitation
for variations of these characters, which are not correctly removed from
input.

Example:
http://server/.../...//file.ext

The problem is obvious and allows an attacker to read any file on the
server.

Solution:
Vendor has been notified and has released BadBlue v1.6.1 that does
properly parses requests like this.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:vuln-dev@labs.secureance.com> Strumpf Noir Society.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages