BadBlue XSS vulnerabilities / Filesharing Server Worm


The BadBlue server technology does not adequately validate and filter URL
input from untrustworthy sources. This can be abused to create a malicious
link to the server containing arbitrary script code. When a legitimate user
browses the malicious link, the script code will be executed in the user's
browser.

Extending on this problem, it is possible for a remote attacker to
gain control of any/all machines performing searches on the network through
a combination of this problem and a weak authentication scheme.


Cross site scripting example:

http://server/alert("doh!")


This problem is made worse due to the fact that it is also found in the
numerous administrative scripts coming with the server, which do not filer
URL input correctly either. The problem here is not so much that script code
can be executed in local pages, since there is no real security hazard there.
However, these scripts can be used to insert script code into variables
which are displayed when other users on the filesharing network search the
local machine for files. This will execute the script in the browser of those
(remote) users as well. Since the server only checks the (local) ip used to
authenticate a user as the server admin, this script could well be used to
execute commands on remote machines running BadBlue. A quick piece of script
we wrote as a proof of concept was able to spread to remote machines doing a
search (no other user-interaction required!), create a user account on the
target server and "phone home" the details and hide itself, ready to spread
to a next machine.


(..)


Solution:

Vendor has been notified. BadBlue v1.6.1 Beta has recently been released which
fixes several, but not all, occurances of XSS in BadBlue. Users are encouraged
to upgrade to this version because it fixes another security problem in the
software (as described in our advisory sns2k2-badblue7-adv), but are advised
to disable all scripting while running BadBlue.


Vulnerable:

- BadBlue Personal Edition (v1.5.6 Beta) for Win95/NT4
- BadBlue Personal Edition (v1.5.6 Beta) for Win98/2000/ME/XP
- BadBlue Enterprise Edition (v1.5.?) for Win95/NT4
- BadBlue Enterprise Edition (v1.5.?) for Win98/2000/ME/XP

- Deerfield D2Gfx (v1.0.2 - Effectively BadBlue v1.0.2) for
Win9x/NT/2000/ME/XP