BADBLUE : BadBlue is the technology behind Working Resources Inc.'s product line withthe same name and which, amongst other things, also powers Deerfield.com'sD2Gfx file sharing community.The BadBlue server has in the past been found vulnerable to several directorytraversal attacks. One of these was the "regular" double-dot traversal attack.We ourselves described another one in our earlier advisory sns2k2-badblue2-adv, entitled "BadBlue Scripting Directory Traversal Vulnerability". Working ResourcesInc. has applied fixes for both, however these can easily be circumvented.Below described problem was identified during testing of the fix for the issuewe reported in sns2k2-badblue2-adv, which has just recently been released. Inour previous advisory we expressed the vendor's intention to solve this problemin the next BadBlue release (not forthcoming at the time), it is howeverimportant to note that this release (v1.6) is vulnerable to below as well.The problem lies in the fact that the BadBlue server filters the "./"combination out of urls to prevent the directory traversal attacks described.In doing so however, it leaves open a window of exploitation for variations ofthese characters, which are not correctly removed from input. BADBLUE : Several days ago, I reported a vulnerability in the EXT.DLL ISAPIof BadBlue. BadBlue 1.7.3 has now been released by the vendor(Working Resources) at foradministrators to upgrade their systems.The vulnerability exists in how EXT.DLL sanitizes input for HTX/HTSpages. Any user input is inserted un-sanitized, making any HTX orHTS pages that display output vulnerable to attack.Although these may appear at first glance to be seperate vulnerabilities,the issue actually is not the pages, but in the ISAPI that processesthem.Webmasters can test for the vulnerability by running a search querycontaining HTML/script (e.g, "alert('vulnerable!');"would do.) If the search results page displays a JavaScript Alert,your server could be used in attacks against visiting browsers.All administrators running BadBlue PE/EE 1.72 and earlier are atrisk of this vulnerability being exploited on their servers and areurged to upgrade to BadBlue 1.73 available from the vendor at theabove address."The reason the mainstream is thoughtof as a stream is because it isso shallow." - Author Unknown BADBLUE : Author: Matthew Murphy Release Date: April 20, 2003Vendor References: * * Affected Systems: BadBlue 2.15 and priorRisk: HighIssue: A vulnerability enabling attackers to gain administrative control ofa vulnerable server.Recommendations: * Personal Edition customers should download BadBlue 2.16, available now * Enterprise Edition customers should contact Working Resources for a fixedversionBadBlue is a powerful Web/P2P server with native Gnutella capabilities,filters, CGI, and ISAPI. It ships with an ISAPI module that provides anHTML-embedded dynamic web page language; this language powers the BadBlueWBA.The BadBlue ISAPI module allows page parsing with the LoadPage command, viathe following syntax:http://[target]/ext.dll?MfcIsapiCommand= LoadPage&page=[pagename]&a0=[arg ]&a1=...The DLL attempts to prevent remote users from accessing .hts pages bychecking the 'referer' HTTP header of requests, and also verifying that allrequests for .hts pages originate from 127.0.0.1 (the loopback).By appending certain illegal characters to the requested filename, it ispossible to cause BadBlue to interpret .hts files from a remote system,thereby yielding administrative control of the server to the attacker. BADBLUE : Affected Systems: * BadBlue 1=2E7 * BadBlue 2=2E0 * BadBlue 2=2E1 * BadBlue 2=2E2Immune Systems: * BadBlue 2=2E3NOTE: BadBlue 1=2E6 and prior may be impacted; these systems were not test=ed=2ERisk: High (Remote LocalSystem Compromise)Vendor URL: http://www=2Ebadblue=2Ecom/Status: Fixed version is now availableDownload: http://www=2Ebadblue=2Ecom/down=2Ehtm * Windows 95/NT http://www=2Ebadblue=2Ecom/bb95=2Eexe * Windows 98/2000/Me/XP http://www=2Ebadblue=2Ecom/bb98=2Eexe"Run a web site on your own PC and share photos, movies, videos andmusic/MP3 files securely, free=2E BadBlue Personal Edition is much easier =touse than a typical FTP server=2E Users can search or explore your sharedfolders=2E=2E=2E and domain-name support is also included=2E""BadBlue Enterprise Edition is the first to offer business file sharing=2E==2E=2Ea complete, secure web server that shares Office files over the web: remot=eusers only need browsers to view files (even Word, Excel and Access)=2E An=dfull-text search is also supported=2E Search, share, transfer files secure=lywith colleagues=2E=2E=2E"Among BadBlue's features is the ability to support ISAPI extensions=2E IS=APIprovides the backbone for BadBlue's HTML-embedded scripting engine whichpowers most of the web-based administrative functionality=2E The engineattempts to restrict access to non-html files by requiring that 'ht' be th=efirst letters of the target file's extension, and also requiring thatrequests to access '=2Ehts' files are submitted by 127=2E0=2E0=2E1 and con=tain aproper 'Referer' header=2E BADBLUE : This security feature is accomplished with a simple binary replace of thefirst two characters of the file extension=2E The two security checks are=performed in an incorrect order, meaning that the first security check can=This vulnerability can be exploited to gain full administrative control of=the server=2E Users running older releases are almost certainly impacted=2E==20The following URL:http://localhost/ext=2Edll?mfcisapicomma nd=3Dloadpage&page=3Ddir=2Ehtshttp://localhost/ext=2Edll?mfcisapicomma nd=3Dloadpage&page=3Ddir=2Eatswill succeed=2E Due to the security check's replacement of the 'a' with '=h',the URL points to a valid filename=2E However, because the header/origincheck is attempted prior to the replacement, the match does not occur, and=the request is allowed to continue=2E An example of this exploit is asfollows:http://localhost/ext=2Edll?mfcisapicomma nd=3Dloadpage&page=3Dadmin=2Eats& ;a=0=3Dadd&a1=3Droot&a2=3D%5CThis adds '/root' as '\', revealing the server's primary volume=2E Theattacker can then traverse the volume with the directory indexing featureof the server=2EWorking Resources has released BadBlue 2=2E30, which fixes thisvulnerability=2E BadBlue 2=2E3 also adds several other features=2E Users=
| ||
|
dc++ linux, gundam seed bittorrent, mldonkey server, overnet client, overnet com, overnet gui, overnet skins, soulseek mp3, soulseek news, bittorent files, bittorrent buffy, bittorrent matrix reloaded, dc++ client, dc++ fake, dc++ for linux, dc++ hub lists, dc++ mac, dc++ romania, dc++ upload, mldonkey linux, mldonkey mac, mldonkey servers, overnet bot, overnet ip, overnet server, soulseek client, soulseek file sharing, soulseek server, www overnet com, dc++ blue, dc++ forum, dc++ hublist, dc++ public hub list, dc++ public hubs, dc++ share faker, glt poliane, honda piolet, mldonkey gui, overnet help, piolet com, soulseek com, soulseek down, soulseek file, soulseek for mac, soulseek org, www shareaza com, www soulseek, www soulseek com, bittorent anime, bittorrent 3.1, dc++ hack, dc++ public hub, dc++ servers, mldonkey client, mldonkey debian, mldonkey watch, overnet firewalled, sharemonkey speedup |