BadBlue Yet Another Directory Traversal

From: Strumpf Noir Society (vuln-devat_private)
Date: Tue Feb 26 2002 - 08:38:06 PST

Next message: Todd Arnold: "Re: Extracting a 3DES key from an IBM 4758"

Previous message: Strumpf Noir Society: "BadBlue XSS vulnerabilities / Filesharing Server Worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Strumpf Noir Society Advisories
! Public release !
<--#


-= BadBlue Yet Another Directory Traversal =-

Release date: Tuesday, February 26, 2002


Introduction:

BadBlue is the technology behind Working Resources Inc.'s product line with
the same name and which, amongst other things, also powers Deerfield.com's
D2Gfx file sharing community.

Working Resources Inc. :        http://www.badblue.com
Deerfield's D2Gfx :             http://d2gfx.deerfield.com


Problem:

The BadBlue server has in the past been found vulnerable to several directory
traversal attacks. One of these was the "regular" double-dot traversal attack.
We ourselves described another one in our earlier advisory sns2k2-badblue2-adv, 
entitled "BadBlue Scripting Directory Traversal Vulnerability". Working Resources
Inc. has applied fixes for both, however these can easily be circumvented.

Below described problem was identified during testing of the fix for the issue
we reported in sns2k2-badblue2-adv, which has just recently been released. In
our previous advisory we expressed the vendor's intention to solve this problem
in the next BadBlue release (not forthcoming at the time), it is however
important to note that this release (v1.6) is vulnerable to below as well.

The problem lies in the fact that the BadBlue server filters the "./"
combination out of urls to prevent the directory traversal attacks described.
In doing so however, it leaves open a window of exploitation for variations of
these characters, which are not correctly removed from input.


Example:

http://server/.../...//file.ext

The problem is obvious and allows an attacker to read any file on the server.


(..)


Solution:

Vendor has been notified and has released BadBlue v1.6.1 which does properly
parse requests like this.


Vulnerable:

- BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4
- BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP
- BadBlue Enterprise Edition (v1.5.?) for Win95/NT4
- BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP
- BadBlue Personal Edition (v1.6 Beta) for Win95/NT4
- BadBlue Personal Edition (v1.6 Beta) for Win98/2000/ME/XP
- BadBlue Enterprise Edition (v1.6 Beta) for Win95/NT4
- BadBlue Enterprise Edition (v1.6 Beta) for Win98/2000/ME/XP

- Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for 
Win9x/NT/2000/ME/XP

Earlier versions were already found vulnerable to mentioned "regular" directory
traversal attacks.


yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!

Next message: Todd Arnold: "Re: Extracting a 3DES key from an IBM 4758"
Previous message: Strumpf Noir Society: "BadBlue XSS vulnerabilities / Filesharing Server Worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 13:06:09 PST