OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: SNS Research (vuln-devGREYHACK.COM)
Date: Sat Feb 17 2001 - 03:18:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Strumpf Noir Society Advisories
    ! Public release !
    <--#

    -= BadBlue Web Server Ext.dll Vulnerabilities =-

    Release date: Saturday, February 17, 2001

    Introduction:

    BadBlue is a (MS Windows-based) web server intended for a wide range of
    applications, from providing file sharing possibilities to an
    application development and deployment environment. It includes
    full-featured support of tools like CGI, ISAPI and PHP.

    BadBlue can be found on at vendor Working Resources Inc.'s website:
    http://www.badblue.com

    Problem:

    The BadBlue web server serves files through a library called ext.dll.
    A typical request to the server would be build up through a request to
    this file together with a string containing the actual command data like
    so: http://127.0.0.1/ext.dll?mfcisapicommand=loadpage&page=default.hts

    Some ways have been found to manipulate the server by playing with this
    string. By omitting the data following ext.dll in above mentioned
    request, the server will return an error which discloses information
    regarding the path where it is running on the machine. What's more, by
    substituting this data for a string of 284 bytes or more, the BadBlue
    web server will die.

    Directory disclosure example:

    http://server/ext.dll

    will result in:

    [Error: opening c:\program files\badblue\pe\default.htx (2)]

    Denial-of-service example:

    http://server/ext.dll?aaaaa(x 248 bytes)

    will cause the server to die.

    (..)

    Solution:

    Working Resources Inc. has made BadBlue version 1.02.8 availble from its
    website, which adresses these problems.

    This was tested against BadBlue 1.02.07 Personal Edition. After
    contacting the vendor it is our understanding that the other members of
    the BadBlue product suite are based on the same code base and are
    vulnerable as well. Users are encouraged to upgrade.

    yadayadayada

    Free sk8! (http://www.freesk8.org)

    SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
    compliant, all information is provided on AS IS basis.

    EOF, but Strumpf Noir Society will return!