Strumpf Noir Society Advisories ! Public release ! <--# -= BadBlue Yet Another Directory Traversal =- Release date: Tuesday, February 26, 2002 Introduction: BadBlue is the technology behind Working Resources Inc.'s product line with the same name and which, amongst other things, also powers Deerfield.com's D2Gfx file sharing community. Working Resources Inc. : http://www.badblue.com Deerfield's D2Gfx : http://d2gfx.deerfield.com Problem: The BadBlue server has in the past been found vulnerable to several directory traversal attacks. One of these was the "regular" double-dot traversal attack. We ourselves described another one in our earlier advisory sns2k2-badblue2-adv, entitled "BadBlue Scripting Directory Traversal Vulnerability". Working Resources Inc. has applied fixes for both, however these can easily be circumvented. Below described problem was identified during testing of the fix for the issue we reported in sns2k2-badblue2-adv, which has just recently been released. In our previous advisory we expressed the vendor's intention to solve this problem in the next BadBlue release (not forthcoming at the time), it is however important to note that this release (v1.6) is vulnerable to below as well. The problem lies in the fact that the BadBlue server filters the "./" combination out of urls to prevent the directory traversal attacks described. In doing so however, it leaves open a window of exploitation for variations of these characters, which are not correctly removed from input. Example: http://server/.../...//file.ext The problem is obvious and allows an attacker to read any file on the server. (..) Solution: Vendor has been notified and has released BadBlue v1.6.1 which does properly parse requests like this. Vulnerable: - BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4 - BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP - BadBlue Enterprise Edition (v1.5.?) for Win95/NT4 - BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP - BadBlue Personal Edition (v1.6 Beta) for Win95/NT4 - BadBlue Personal Edition (v1.6 Beta) for Win98/2000/ME/XP - BadBlue Enterprise Edition (v1.6 Beta) for Win95/NT4 - BadBlue Enterprise Edition (v1.6 Beta) for Win98/2000/ME/XP - Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for Win9x/NT/2000/ME/XP Earlier versions were already found vulnerable to mentioned "regular" directory traversal attacks. yadayadayada SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!
