Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Matthew Murphy (mattmurphy_at_kc.rr.com)
Date: Fri Jul 12 2002 - 19:50:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Advisory: Working Resources BadBlue Multiple Vulnerabilities

    Issue: Three vulnerabilities; a denial of service, an insecurity in password
    storage, and a file disclosure vulnerability that could allow viewing of the
    password file.

    Risk: Critical

    SecurityFocus: "Working Resources BadBlue Invalid Get Request Denial of
    Service Vulnerability" describes one of these issues.

    Invalid GET Request Vulnerability

    By sending a specially crafted GET request (specifically, one with no
    filename component) it is possible to cause the server to stop handling
    further requests. The administrator must fully exit and manually restart
    the server to resume normal operation:

    GET HTTP/1.0

    Some servers withstood this, but balked at a similar request:

    GET HTTP/1.0

    The only difference here being two spaces instead of one.

    Malformed Escaping Invalid Byte Vulnerability

    By sending a malformed version of an HTTP-escaped NULL byte ("%00") BadBlue
    can be forced to return the source code of the desired file (or the binary
    content if the file is a binary). This vulnerability can be used to read
    the contents of EXT.INI, which stores BadBlue's configuration data,
    including any users or Access Control Lists (ACLs) on the server and the
    passwords for any such data, as well. The attacker simply appends ".%
    00.txt" to the filename. BadBlue appears to strip spaces after
    HTTP-escaping, but does this after null-byte filtering has already been
    applied, causing this specially designed request to bypass the filter:

    GET /ext.ini.% 00.txt HTTP/1.0

    Will reveal the contents of the BadBlue configuration file. If the server
    is configured to allow uploads, but not to allow read/execute access without
    a password, this can be used to break the password protection.

    Un-encrypted Password Vulnerability

    This vulnerability involves the password storage in the aforementioned
    ext.ini file. The vulnerability allows a local user with read access to the
    configuration file to see any passwords for secured resources or user
    accounts. BadBlue stores the passwords with no encryption at all, meaning
    that simply opening the file is sufficient for password theft. Combined
    with the above vulnerability, this enables a remote user to read the
    passwords of any BadBlue server.