COMMAND

	BadBlue  directory  traversal  and  CSS,  leading  to  a  possible  worm
	vulnerability

SYSTEMS AFFECTED

	 - BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4

	 - BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP

	 - BadBlue Enterprise Edition (v1.5.?) for Win95/NT4

	 - BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP

	 - BadBlue Personal Edition (v1.6 Beta) for Win95/NT4

	 - BadBlue Personal Edition (v1.6 Beta) for Win98/2000/ME/XP

	 - BadBlue Enterprise Edition (v1.6 Beta) for Win95/NT4

	 - BadBlue Enterprise Edition (v1.6 Beta) for Win98/2000/ME/XP

	 - Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for Win9x/NT/2000/ME/XP

	

PROBLEM

	In Strumpf Noir Society Advisories, two vulnerabilities has  been  found
	regarding BadBlue,  the  technology  behind  Working  Resources  Inc.\'s
	product line with the same name and which, amongst  other  things,  also
	powers  Deerfield.com\'s  D2Gfx   file   sharing   community.   (Working
	Resources Inc. : http://www.badblue.com, Deerfield\'s  D2Gfx  :  http://d2gfx.deerfield.com)
	

	 Directory Traversal

	 ===================

	

	The BadBlue server has in the past  been  found  vulnerable  to  several
	directory  traversal  attacks.  One  of  these   was   the   \"regular\"
	double-dot traversal attack. We ourselves described another one  in  our
	earlier  advisory  sns2k2-badblue2-adv,  entitled  \"BadBlue   Scripting
	Directory Traversal Vulnerability\". Working Resources Inc. has  applied
	fixes for both, however these can easily be circumvented.
	

	Below described problem was identified during testing  of  the  fix  for
	the issue we reported in sns2k2-badblue2-adv, which  has  just  recently
	been released. In our  previous  advisory  we  expressed  the  vendor\'s
	intention to solve  this  problem  in  the  next  BadBlue  release  (not
	forthcoming at the time), it is however  important  to  note  that  this
	release (v1.6) is vulnerable to below as well.
	

	The problem lies in the fact that the BadBlue server filters the  \"./\"
	combination out of urls  to  prevent  the  directory  traversal  attacks
	described. In doing so however, it leaves open a window of  exploitation
	for variations of these characters,  which  are  not  correctly  removed
	from input.
	

	

	Example:
	

	http://server/.../...//file.ext

	

	

	The problem is obvious and allows an attacker to read any  file  on  the
	server.
	

	

	 Cross Site Scripting & Worm

	 ============================

	

	The BadBlue server technology does not adequately  validate  and  filter
	URL input from untrustworthy sources. This can be  abused  to  create  a
	malicious link to the server containing arbitrary script  code.  When  a
	legitimate user browses the malicious link,  the  script  code  will  be
	executed in the user\'s  browser.  Extending  on  this  problem,  it  is
	possible for a remote attacker  to  gain  control  of  any/all  machines
	performing searches  on  the  network  through  a  combination  of  this
	problem and a weak authentication scheme.
	

	

	Cross site scripting example:
	

	http://server/<script>alert(\"doh!\")</script>

	

	

	This problem is made worse due to the fact that it is also found in  the
	numerous administrative scripts coming with the  server,  which  do  not
	filer URL input correctly either. The problem here is not so  much  that
	script code can be executed in local  pages,  since  there  is  no  real
	security hazard there. However, these scripts  can  be  used  to  insert
	script code into variables which are displayed when other users  on  the
	filesharing network search  the  local  machine  for  files.  This  will
	execute the script in the browser  of  those  (remote)  users  as  well.
	Since the server only checks the (local) ip used to authenticate a  user
	as the server admin, this script could well be used to execute  commands
	on remote machines running BadBlue. A quick piece of script we wrote  as
	a proof of concept was able to spread to remote machines doing a  search
	(no other user-interaction required!), create  a  user  account  on  the
	target server and \"phone home\" the details and hide itself,  ready  to
	spread to a next machine.

SOLUTION

	Vendor has been notified and  has  released  BadBlue  v1.6.1.  It  fixes
	directory traversal, and fixes several, but not all, occurances of XSS.