BadBlue XSS vulnerabilities / Filesharing Server Worm

From: Strumpf Noir Society (vuln-dev@labs.secureance.com)
Date: 02/26/02 

Date: Tue, 26 Feb 2002 17:38:47 +0100
From: Strumpf Noir Society <vuln-dev@labs.secureance.com>
To: bugtraq@securityfocus.com

Strumpf Noir Society Advisories
! Public release !
<--#

-= BadBlue XSS vulnerabilities / Filesharing Server Worm =-

Release date: Tuesday, February 26, 2002

Introduction:

BadBlue is the technology behind Working Resources Inc.'s product line with
the same name and which, amongst other things, also powers Deerfield.com's
D2Gfx file sharing community.

Working Resources Inc. : http://www.badblue.com
Deerfield's D2Gfx : http://d2gfx.deerfield.com

Problem:

The BadBlue server technology does not adequately validate and filter URL
input from untrustworthy sources. This can be abused to create a malicious
link to the server containing arbitrary script code. When a legitimate user
browses the malicious link, the script code will be executed in the user's
browser. Extending on this problem, it is possible for a remote attacker to
gain control of any/all machines performing searches on the network through
a combination of this problem and a weak authentication scheme.

Cross site scripting example:

http://server/>alert("doh!")</script>

This problem is made worse due to the fact that it is also found in the
numerous administrative scripts coming with the server, which do not filer
URL input correctly either. The problem here is not so much that script code
can be executed in local pages, since there is no real security hazard there.
However, these scripts can be used to insert script code into variables
which are displayed when other users on the filesharing network search the
local machine for files. This will execute the script in the browser of those
(remote) users as well. Since the server only checks the (local) ip used to
authenticate a user as the server admin, this script could well be used to
execute commands on remote machines running BadBlue. A quick piece of script
we wrote as a proof of concept was able to spread to remote machines doing a
search (no other user-interaction required!), create a user account on the
target server and "phone home" the details and hide itself, ready to spread
to a next machine.

(..)

Solution:

Vendor has been notified. BadBlue v1.6.1 Beta has recently been released which
fixes several, but not all, occurances of XSS in BadBlue. Users are encouraged
to upgrade to this version because it fixes another security problem in the
software (as described in our advisory sns2k2-badblue7-adv), but are advised
to disable all scripting while running BadBlue.

Vulnerable:

- BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4
- BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP
- BadBlue Enterprise Edition (v1.5.?) for Win95/NT4
- BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP

- Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for
Win9x/NT/2000/ME/XP

yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!