Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » BadBlue Yet Another Directory Traversal

BadBlue Yet Another Directory Traversal

by Nikola Strahija on February 26th, 2002 The BadBlue server has in the past been found vulnerable to several directory traversal attacks. One of these was the "regular" double-dot traversal attack. We ourselves described another one in our earlier advisory sns2k2-badblue2-adv, entitled "BadBlue Scripting Directory Traversal Vulnerability".


Introduction:

BadBlue is the technology behind Working Resources Inc.'s product line with
the same name and which, amongst other things, also powers Deerfield.com's
D2Gfx file sharing community.

Working Resources Inc. : http://www.badblue.com
Deerfield's D2Gfx : http://d2gfx.deerfield.com


Problem:

The BadBlue server has in the past been found vulnerable to several directory
traversal attacks. One of these was the "regular" double-dot traversal attack.
We ourselves described another one in our earlier advisory sns2k2-badblue2-adv,
entitled "BadBlue Scripting Directory Traversal Vulnerability". Working
Resources
Inc. has applied fixes for both, however these can easily be circumvented.

Below described problem was identified during testing of the fix for the issue
we reported in sns2k2-badblue2-adv, which has just recently been released. In
our previous advisory we expressed the vendor's intention to solve this problem
in the next BadBlue release (not forthcoming at the time), it is however
important to note that this release (v1.6) is vulnerable to below as well.

The problem lies in the fact that the BadBlue server filters the "./"
combination out of urls to prevent the directory traversal attacks described.
In doing so however, it leaves open a window of exploitation for variations of
these characters, which are not correctly removed from input.


Example:

http://server/.../...//file.ext

The problem is obvious and allows an attacker to read any file on the server.


(..)


Solution:

Vendor has been notified and has released BadBlue v1.6.1 which does properly
parse requests like this.


Vulnerable:

- BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4
- BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP
- BadBlue Enterprise Edition (v1.5.?) for Win95/NT4
- BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP
- BadBlue Personal Edition (v1.6 Beta) for Win95/NT4
- BadBlue Personal Edition (v1.6 Beta) for Win98/2000/ME/XP
- BadBlue Enterprise Edition (v1.6 Beta) for Win95/NT4
- BadBlue Enterprise Edition (v1.6 Beta) for Win98/2000/ME/XP

- Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for
Win9x/NT/2000/ME/XP

Earlier versions were already found vulnerable to mentioned "regular" directory
traversal attacks.



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »