Strumpf Noir Society Advisories ! Public release ! <--# -= BadBlue XSS vulnerabilities / Filesharing Server Worm =- Release date: Tuesday, February 26, 2002 Introduction: BadBlue is the technology behind Working Resources Inc.'s product line with the same name and which, amongst other things, also powers Deerfield.com's D2Gfx file sharing community. Working Resources Inc. : http://www.badblue.com Deerfield's D2Gfx : http://d2gfx.deerfield.com Problem: The BadBlue server technology does not adequately validate and filter URL input from untrustworthy sources. This can be abused to create a malicious link to the server containing arbitrary script code. When a legitimate user browses the malicious link, the script code will be executed in the user's browser. Extending on this problem, it is possible for a remote attacker to gain control of any/all machines performing searches on the network through a combination of this problem and a weak authentication scheme. Cross site scripting example: http://server/<script>alert("doh!")</script> This problem is made worse due to the fact that it is also found in the numerous administrative scripts coming with the server, which do not filer URL input correctly either. The problem here is not so much that script code can be executed in local pages, since there is no real security hazard there. However, these scripts can be used to insert script code into variables which are displayed when other users on the filesharing network search the local machine for files. This will execute the script in the browser of those (remote) users as well. Since the server only checks the (local) ip used to authenticate a user as the server admin, this script could well be used to execute commands on remote machines running BadBlue. A quick piece of script we wrote as a proof of concept was able to spread to remote machines doing a search (no other user-interaction required!), create a user account on the target server and "phone home" the details and hide itself, ready to spread to a next machine. (..) Solution: Vendor has been notified. BadBlue v1.6.1 Beta has recently been released which fixes several, but not all, occurances of XSS in BadBlue. Users are encouraged to upgrade to this version because it fixes another security problem in the software (as described in our advisory sns2k2-badblue7-adv), but are advised to disable all scripting while running BadBlue. Vulnerable: - BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4 - BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP - BadBlue Enterprise Edition (v1.5.?) for Win95/NT4 - BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP - Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for Win9x/NT/2000/ME/XP yadayadayada SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!
