[resend] Strumpf Noir Society on BadBlue

[Strumpf Noir Society <vuln-dev () labs secureance com>]

Strumpf Noir Society Summaries
! Public release !
<--#


-= Strumpf Noir Society on BadBlue =-

(Sorry, couldn't resist.. Ok, so we might not be able to actually
drive a Mach truck, but this seems to do the trick, give or take
a few millions :)


Release date: Thursday, January 17, 2002


Introduction

BadBlue is the technology behind Working Resources Inc.'s product line with
the same name and which, amongst other things, also powers Deerfield.com's
D2Gfx file sharing community.

Working Resources Inc. :        http://www.badblue.com
Deerfield's D2Gfx :             http://d2gfx.deerfield.com


Summary

Below advisory will serve as a summary for our advisories sns2k2-badblue2
through sns2k-badblue6. These are all more or less related problems in 
mentioned software and we would not want to annoy too many people at 
once by sending out five advisories for one product, let's leave some
for next time eh?

(More details are available from our web site [1].)


Introduction

The BadBlue technology suffers from multiple vulnerabilities which
allow for a resource exhaustion attack to be executed against the server
and which could be abused to obtain read access to any file and to 
execute system commands on the target host.


When the going goes wrong, part 1:

BadBlue's main purposes are web serving and peer-to-peer file sharing.
Due to configuration issues between these functionalities, it is possible
to defeat the server's authentication schemes to execute commands on 
the system. Three different approaches have been found to easily circumvent
BadBlue's ip-based authentication. For these attacks to work, the attacker 
will need to have upload access to either a shared or virtual directory on
the target system, or has to trick the system owner into putting his files
in such a directory for him. 

Of all tested systems only BadBlue EE seems to include this upload 
functionality and as such is the only system directly vulnerable to these
attacks. We feel however that these vulnerabilities represent certain 
implementation issues in the whole of the product line. These will be looked
into by Working Resources Inc. in the next release of their product.

The attacks themselves consist of administrative command execution through
PHP or CGI-equivalent scripting, administrative command execution through
HTML tags and system command execution through MS Word macros.


Vulnerable:

- BadBlue Enterprise Edition (v1.5.?) for Win9x/NT/2000/ME/XP

Mentioned problems DO work on other versions of the software as well, however
it will require some social engineering to get the malicious files in an
accessible directory on the server.


When the going goes wrong, part 2:

BadBlue includes the ability to serve transcoded MS Office document data
over the web through a number of scripts/templates. More specifically,
the server is compatible with MS Word, MS Excel and MS Access. Due to two 
problems found to be shared in the accompanying scripts doc.htx, xls.htx 
and mdb.htx however, it is possible to remotely spawn multiple instances
of mentioned MS Office applications on the target system. This could be
abused in the form of a resource exhaustion attack. Also, there exists a
directory traversal attack in the parsers for these documents, which could
allow an attacker read access to any file on the target system. All systems
tested (BadBlue as well as D2Gfx) were vulnerable to these problems.


Vulnerable:

- BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4
- BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP
- BadBlue Enterprise Edition (v1.5.?) for Win95/NT4
- BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP
- Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for 
Win9x/NT/2000/ME/XP

All earlier versions which include mentioned .htx files are expected
to be fully or partially vulnerable to these problems.


Vendor status:

Vendor has been notified and has verified above issues. Currently a new
version of the BadBlue software is in the making, however no release date
for this was available at this time. Since some of the mentioned 
vulnerabilities leave a users system rather wide open, we've decided to 
post information on these issues and temporary workarounds. Users are
encouraged to upgrade as soon as the new BadBlue release comes 
available.


Workarounds/fixes:

1) Do not allow uploads to directories which can be accessed from the
server. This means virtual AS WELL AS shared directories.

2) If you have no use for the MS Office document sharing functions of
BadBlue, delete/rename/replace the following files: doc.htx, xls.htx and
mdb.htx.

3) If you do share MS Office documents through BadBlue, share them as
single files (meaning: do not select the "Share all files in this
folder (*.*)" option.

4) Limit the number of IP's to which your BadBlue server is accessible
to as few as possible through the "Restrict access by IP address" menu
under the "Advanced web server functions".

A possible fifth and final recommendation would be to disable IRC sharing.
This can be done in BadBlue's "Set your searching options" menu. Altough 
not a security issue perse, this feature is enabled by default in the BadBlue 
server installation (not in the D2Gfx version btw, which uses an older 
version of the BadBlue technology) and, besides some information disclosure, 
makes life quite a lot easier for anyone trying to find potential targets. 
Alternatives will be included in the next BadBlue release.


References:

Full advisories available from http://labs.secureance.com:

sns2k2-badblue2-adv:    "BadBlue Scripting Directory Traversal Vulnerability"
sns2k2-badblue3-adv:    "BadBlue Extensions Authentication Bypassing Vulnerability"
sns2k2-badblue4-adv:    "BadBlue Scripting Resource Exhaustion Vulnerability"
sns2k2-badblue5-adv:    "BadBlue HTML Tag Command Execution Vulnerability"
sns2k2-badblue6-adv:    "BadBlue Macro Execution Vulnerability"


yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!