COMMAND

    Ext.dll

SYSTEMS AFFECTED

    BadBlue Web Server

PROBLEM

    Following is based on a Strumpf Noir Society Advisories.   BadBlue
    is a (MS  Windows-based) web server  intended for a  wide range of
    applications,  from  providing  file  sharing  possibilities to an
    application development and  deployment environment.   It includes
    full-featured support of tools like CGI, ISAPI and PHP.

    The  BadBlue  web  server  serves  files  through a library called
    ext.dll.   A  typical  request  to  the  server  would be build up
    through a request to this  file together with a string  containing
    the actual command data like so:

        http://127.0.0.1/ext.dll?mfcisapicommand=loadpage&page=default.hts

    Some ways  have been  found to  manipulate the  server by  playing
    with this string.  By omitting the data following ext.dll in above
    mentioned request, the server will return an error which discloses
    information regarding the path where it is running on the machine.
    What's more, by substituting this  data for a string of  284 bytes
    or more, the BadBlue web server will die.

    Directory disclosure example:

        http://server/ext.dll

    will result in:

        [Error: opening c:\program files\badblue\pe\default.htx (2)]

    Denial-of-service example:

        http://server/ext.dll?aaaaa(x 248 bytes)

    will cause the server to die.

SOLUTION

    Working Resources  Inc. has  made BadBlue  version 1.02.8 availble
    from its website, which adresses these problems.  This was  tested
    against BadBlue  1.02.07 Personal  Edition.   After contacting the
    vendor  it  is  our  understanding  that  the other members of the
    BadBlue product  suite are  based on  the same  code base  and are
    vulnerable as well.  Users are encouraged to upgrade.