BadBlue Remote Administrative Access Vulnerability

I=2E Synopsis

Affected Systems:
    * BadBlue 1=2E7
    * BadBlue 2=2E0
    * BadBlue 2=2E1
    * BadBlue 2=2E2
Immune Systems:
    * BadBlue 2=2E3

NOTE: BadBlue 1=2E6 and prior may be impacted; these systems were not test=
ed=2E

Risk: High (Remote LocalSystem Compromise)
Vendor URL: http://www=2Ebadblue=2Ecom/
Status: Fixed version is now available
Download: http://www=2Ebadblue=2Ecom/down=2Ehtm
    * Windows 95/NT
      http://www=2Ebadblue=2Ecom/bb95=2Eexe
    * Windows 98/2000/Me/XP
      http://www=2Ebadblue=2Ecom/bb98=2Eexe

II=2E Product Description

"Run a web site on your own PC and share photos, movies, videos and
music/MP3 files securely, free=2E BadBlue Personal Edition is much easier =
to
use than a typical FTP server=2E Users can search or explore your shared
folders=2E=2E=2E and domain-name support is also included=2E"

"BadBlue Enterprise Edition is the first to offer business file sharing=2E=
=2E=2E
a complete, secure web server that shares Office files over the web: remot=
e
users only need browsers to view files (even Word, Excel and Access)=2E An=
d
full-text search is also supported=2E Search, share, transfer files secure=
ly
with colleagues=2E=2E=2E"

(Quotes from http://www=2Ebadblue=2Ecom/)

III=2E Vulnerability Description

Among BadBlue's features is the ability to support ISAPI extensions=2E  IS=
API
provides the backbone for BadBlue's HTML-embedded scripting engine which
powers most of the web-based administrative functionality=2E  The engine
attempts to restrict access to non-html files by requiring that 'ht' be th=
e
first letters of the target file's extension, and also requiring that
requests to access '=2Ehts' files are submitted by 127=2E0=2E0=2E1 and con=
tain a
proper 'Referer' header=2E

This security feature is accomplished with a simple binary replace of the
first two characters of the file extension=2E  The two security checks are=

performed in an incorrect order, meaning that the first security check can=

inadvertantly bypass the latter=2E

IV=2E Impact

This vulnerability can be exploited to gain full administrative control of=

the server=2E  Users running older releases are almost certainly impacted=2E=
=20
The following URL:

http://localhost/ext=2Edll?mfcisapicommand=3Dloadpage&page=3Ddir=2Ehts

will fail, while the following URL:

http://localhost/ext=2Edll?mfcisapicommand=3Dloadpage&page=3Ddir=2Eats

will succeed=2E  Due to the security check's replacement of the 'a' with '=
h',
the URL points to a valid filename=2E  However, because the header/origin
check is attempted prior to the replacement, the match does not occur, and=

the request is allowed to continue=2E  An example of this exploit is as
follows:

http://localhost/ext=2Edll?mfcisapicommand=3Dloadpage&page=3Dadmin=2Eats&a=
0=3Dadd&a1=3Dr
oot&a2=3D%5C

This adds '/root' as '\', revealing the server's primary volume=2E  The
attacker can then traverse the volume with the directory indexing feature
of the server=2E

V=2E Vendor Response

Working Resources has released BadBlue 2=2E30, which fixes this
vulnerability=2E  BadBlue 2=2E3 also adds several other features=2E  Users=

running internet-connected servers should install the new version as soon
as possible:

http://www=2Ebadblue=2Ecom/down=2Ehtm

will work for Personal Edition users, and Enterprise edition users should
contact Working Resources for an upgrade=2E

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web=2Ecom/ =2E