Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Three BadBlue Vulnerabilities
From: full-disclosure () lists netsys com (Matthew Murphy)
Date: Fri, 12 Jul 2002 19:50:16 -0500

Advisory: Working Resources BadBlue Multiple Vulnerabilities

Issue: Three vulnerabilities; a denial of service, an insecurity in password
storage, and a file disclosure vulnerability that could allow viewing of the
password file.

Risk: Critical

SecurityFocus: "Working Resources BadBlue Invalid Get Request Denial of
Service Vulnerability" describes one of these issues.

Invalid GET Request Vulnerability

By sending a specially crafted GET request (specifically, one with no
filename component) it is possible to cause the server to stop handling
further requests.  The administrator must fully exit and manually restart
the server to resume normal operation:


Some servers withstood this, but balked at a similar request:


The only difference here being two spaces instead of one.

Malformed Escaping Invalid Byte Vulnerability

By sending a malformed version of an HTTP-escaped NULL byte ("%00") BadBlue
can be forced to return the source code of the desired file (or the binary
content if the file is a binary).  This vulnerability can be used to read
the contents of EXT.INI, which stores BadBlue's configuration data,
including any users or Access Control Lists (ACLs) on the server and the
passwords for any such data, as well.  The attacker simply appends ".%
00.txt" to the filename.  BadBlue appears to strip spaces after
HTTP-escaping, but does this after null-byte filtering has already been
applied, causing this specially designed request to bypass the filter:

GET /ext.ini.% 00.txt HTTP/1.0

Will reveal the contents of the BadBlue configuration file.  If the server
is configured to allow uploads, but not to allow read/execute access without
a password, this can be used to break the password protection.

Un-encrypted Password Vulnerability

This vulnerability involves the password storage in the aforementioned
ext.ini file.  The vulnerability allows a local user with read access to the
configuration file to see any passwords for secured resources or user
accounts.  BadBlue stores the passwords with no encryption at all, meaning
that simply opening the file is sufficient for password theft.  Combined
with the above vulnerability, this enables a remote user to read the
passwords of any BadBlue server.

  By Date           By Thread  

Current thread:
  • Three BadBlue Vulnerabilities Matthew Murphy (Jul 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]