OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Strumpf Noir Society (vuln-devlabs.secureance.com)
Date: Tue Feb 26 2002 - 10:38:47 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Strumpf Noir Society Advisories
    ! Public release !
    <--#

    -= BadBlue XSS vulnerabilities / Filesharing Server Worm =-

    Release date: Tuesday, February 26, 2002

    Introduction:

    BadBlue is the technology behind Working Resources Inc.'s product line with
    the same name and which, amongst other things, also powers Deerfield.com's
    D2Gfx file sharing community.

    Working Resources Inc. : http://www.badblue.com
    Deerfield's D2Gfx : http://d2gfx.deerfield.com

    Problem:

    The BadBlue server technology does not adequately validate and filter URL
    input from untrustworthy sources. This can be abused to create a malicious
    link to the server containing arbitrary script code. When a legitimate user
    browses the malicious link, the script code will be executed in the user's
    browser. Extending on this problem, it is possible for a remote attacker to
    gain control of any/all machines performing searches on the network through
    a combination of this problem and a weak authentication scheme.

    Cross site scripting example:

    http://server/>alert("doh!")</script>

    This problem is made worse due to the fact that it is also found in the
    numerous administrative scripts coming with the server, which do not filer
    URL input correctly either. The problem here is not so much that script code
    can be executed in local pages, since there is no real security hazard there.
    However, these scripts can be used to insert script code into variables
    which are displayed when other users on the filesharing network search the
    local machine for files. This will execute the script in the browser of those
    (remote) users as well. Since the server only checks the (local) ip used to
    authenticate a user as the server admin, this script could well be used to
    execute commands on remote machines running BadBlue. A quick piece of script
    we wrote as a proof of concept was able to spread to remote machines doing a
    search (no other user-interaction required!), create a user account on the
    target server and "phone home" the details and hide itself, ready to spread
    to a next machine.

    (..)

    Solution:

    Vendor has been notified. BadBlue v1.6.1 Beta has recently been released which
    fixes several, but not all, occurances of XSS in BadBlue. Users are encouraged
    to upgrade to this version because it fixes another security problem in the
    software (as described in our advisory sns2k2-badblue7-adv), but are advised
    to disable all scripting while running BadBlue.

    Vulnerable:

    - BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4
    - BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP
    - BadBlue Enterprise Edition (v1.5.?) for Win95/NT4
    - BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP

    - Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for
    Win9x/NT/2000/ME/XP

    yadayadayada

    SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
    compliant, all information is provided on AS IS basis.

    EOF, but Strumpf Noir Society will return!