[NT] BadBlue Remote Administrative Access Vulnerability (ATS)

• Previous message: SecuriTeam: "[EXPL] Cdrecord Format String Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 21 May 2003 19:06:49 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  BadBlue Remote Administrative Access Vulnerability (ATS)
------------------------------------------------------------------------

SUMMARY

 <http://www.badblue.com/> BadBlue is a "powerful Web/P2P server with
native Gnutella capabilities, filters, CGI, and ISAPI. It ships with an
ISAPI module that provides an HTML-embedded dynamic web page language;
this language powers the BadBlue WBA". A vulnerability in the product
allows remote attackers to gain access to administrative sections by
requesting a specially crafted URL.

DETAILS

Affected Systems:
 * BadBlue 1.7
 * BadBlue 2.0
 * BadBlue 2.1
 * BadBlue 2.2

Immune Systems:
 * BadBlue 2.3

Among BadBlue's features is the ability to support ISAPI extensions. ISAPI
provides the backbone for BadBlue's HTML-embedded scripting engine that
powers most of the web-based administrative functionality. The engine
attempts to restrict access to non-html files by requiring that 'ht' be
the first letters of the target file's extension, and requiring that
requests to access '.hts' files are submitted by 127.0.0.1 and contain a
proper 'Referer' header.

This security feature is accomplished with a simple binary replace of the
first two characters of the file extension. The two security checks are
performed in an incorrect order, meaning that the first security check can
inadvertently bypass the latter.

Impact:
This vulnerability can be exploited to gain full administrative control of
the server. Users running older releases are almost certainly impacted.
The following URL:
http://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.hts

Will fail, while the following URL:
http://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.ats

Will succeed. Due to the security check's replacement of the 'a' with 'h',
the URL points to a valid filename. However, because the header/origin
check is attempted prior to the replacement, the match does not occur, and
the request is allowed to continue. An example of this exploit is as
follows:
http://localhost/ext.dll?mfcisapicommand=loadpage&page=admin.ats&a0=add&a1=root&a2=%5C

This adds '/root' as '\', revealing the server's primary volume. The
attacker can then traverse the volume with the directory-indexing feature
of the server.

Vendor Response:
Working Resources has released BadBlue 2.30, which fixes this
vulnerability. BadBlue 2.3 also adds several other features. Users running
internet-connected servers should install the new version as soon as
possible: <http://www.badblue.com/down.htm>
http://www.badblue.com/down.htm

This will work for Personal Edition users, and Enterprise edition users
should contact Working Resources for an upgrade.

ADDITIONAL INFORMATION

The information has been provided by <mailto:mattmurphy@kc.rr.com> Matt
Murphy.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Cdrecord Format String Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]