exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

badblue052003.txt

badblue052003.txt
Posted May 23, 2003
Authored by Matthew Murphy

BadBlue web server versions 2.2 and below have a vulnerability that allows remote attackers to gain administrative control of a server. The engine attempts to restrict access to non-html files by requiring that 'ht' be the first letters of the target file's extension, and also requiring that requests to access '.hts' files are submitted by 127.0.0.1 and contain a proper 'Referer' header. This security feature is accomplished with a simple binary replace of the first two characters of the file extension. The two security checks are performed in an incorrect order, meaning that the first security check can inadvertently bypass the latter.

tags | exploit, remote, web
SHA-256 | f852c3fef86aa05736d86e2685e0f3081337c1845300cb0286f034f7f66f44f0

badblue052003.txt

Change Mirror Download
BadBlue Remote Administrative Access Vulnerability

I. Synopsis

Affected Systems:
* BadBlue 1.7
* BadBlue 2.0
* BadBlue 2.1
* BadBlue 2.2
Immune Systems:
* BadBlue 2.3

NOTE: BadBlue 1.6 and prior may be impacted; these systems were not tested.

Risk: High (Remote LocalSystem Compromise)
Vendor URL: https://www.badblue.com/
Status: Fixed version is now available
Download: https://www.badblue.com/down.htm
* Windows 95/NT
https://www.badblue.com/bb95.exe
* Windows 98/2000/Me/XP
https://www.badblue.com/bb98.exe

II. Product Description

"Run a web site on your own PC and share photos, movies, videos and
music/MP3 files securely, free. BadBlue Personal Edition is much easier to
use than a typical FTP server. Users can search or explore your shared
folders... and domain-name support is also included."

"BadBlue Enterprise Edition is the first to offer business file sharing...
a complete, secure web server that shares Office files over the web: remote
users only need browsers to view files (even Word, Excel and Access). And
full-text search is also supported. Search, share, transfer files securely
with colleagues..."

(Quotes from https://www.badblue.com/)

III. Vulnerability Description

Among BadBlue's features is the ability to support ISAPI extensions. ISAPI
provides the backbone for BadBlue's HTML-embedded scripting engine which
powers most of the web-based administrative functionality. The engine
attempts to restrict access to non-html files by requiring that 'ht' be the
first letters of the target file's extension, and also requiring that
requests to access '.hts' files are submitted by 127.0.0.1 and contain a
proper 'Referer' header.

This security feature is accomplished with a simple binary replace of the
first two characters of the file extension. The two security checks are
performed in an incorrect order, meaning that the first security check can
inadvertantly bypass the latter.

IV. Impact

This vulnerability can be exploited to gain full administrative control of
the server. Users running older releases are almost certainly impacted.
The following URL:

https://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.hts

will fail, while the following URL:

https://localhost/ext.dll?mfcisapicommand=loadpage&page=dir.ats

will succeed. Due to the security check's replacement of the 'a' with 'h',
the URL points to a valid filename. However, because the header/origin
check is attempted prior to the replacement, the match does not occur, and
the request is allowed to continue. An example of this exploit is as
follows:

https://localhost/ext.dll?mfcisapicommand=loadpage&page=admin.ats&a0=add&a1=r
oot&a2=%5C

This adds '/root' as '\', revealing the server's primary volume. The
attacker can then traverse the volume with the directory indexing feature
of the server.

V. Vendor Response

Working Resources has released BadBlue 2.30, which fixes this
vulnerability. BadBlue 2.3 also adds several other features. Users
running internet-connected servers should install the new version as soon
as possible:

https://www.badblue.com/down.htm

will work for Personal Edition users, and Enterprise edition users should
contact Working Resources for an upgrade.

--------------------------------------------------------------------
mail2web - Check your email from the web at
https://mail2web.com/ .


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close