[NT] BadBlue Arbitrary Administrative Actions Vulnerability

• Previous message: support@securiteam.com: "[NT] Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 21 Apr 2003 13:44:30 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  BadBlue Arbitrary Administrative Actions Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.badblue.com/> BadBlue is a "powerful Web/P2P server with
native Gnutella capabilities, filters, CGI, and ISAPI. It ships with an
ISAPI module that provides an HTML-embedded dynamic web page language;
this language powers the BadBlue WBA". A vulnerability in the product
allows remote attackers to execute administrative actions without needing
to be authenticated as one (as an administrator).

DETAILS

Vulnerable systems:
 * BadBlue version 2.15 and prior

Immune systems:
 * BadBlue version 2.16 and later

The BadBlue ISAPI module allows page parsing with the LoadPage command,
via the following syntax:

http://[target]/ext.dll?MfcIsapiCommand=LoadPage&page=[pagename]&a0=[arg]&a1=...

The DLL attempts to prevent remote users from accessing .hts pages by
checking the 'referer' HTTP header of requests, and also verifying that
all requests for .hts pages originate from 127.0.0.1 (the loopback).

By appending certain illegal characters to the requested filename, it is
possible to cause BadBlue to interpret .hts files from a remote system,
thereby yielding administrative control of the server to the attacker.

Impact:
By issuing a specially-crafted request, such as:
http://[target]/ext.dll?MfcIsapiCommand=LoadPage&page=admin.hts%20&a0=add&a1=root&a2=%5C

An attacker can perform any administrative action on the server. The
example above adds a '/root' virtual directory that maps to the '\' path.
The attacker can then request the ext.ini file with the following request:

http://[target]/Program%20Files/BadBlue/PE/ext.ini

This will vary depending on the version/path of BadBlue's installation on
the system, but listing of virtual directories is enabled by default,
meaning that an attacker can traverse through the system, scanning for
files of interest.

Vendor Response:
Working Resources was contacted on April 12, 2003. The latest version
(2.16) fixes this vulnerability. Personal Edition users may download this
from: <http://www.badblue.com/down.htm> http://www.badblue.com/down.htm

Enterprise Edition customers should contact Working Resources for an
upgrade.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mattmurphy@kc.rr.com>
Matthew Murphy.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NT] Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]