// back

BadBlue Unauthorized Proxy Vulnerability

12.11.02

BACKGROUND

BadBlue is a personal web server for Windows-based operating systems
that makes it simple for users to share multimedia and other files
over the internet.

DESCRIPTION

Remote exploitation of a proxy vulnerability within BadBlue makes it
possible for an anonymous remote user to establish connections to any
port on any server through the BadBlue.

The file ext.dll is normally used for viewing files with URL's
containing "mfcisapicommand=loadpage", however it has a secondary
function as well.  This secondary function is called "PassThru", and can
be implemented within a URL in order to force the BadBlue server to act
as a proxy.  The following is an example of this:

http://[BadBlue Server]/ext.dll?mfcisapicommand=
PassThru&url=[Any IP:Any Port]/[Any Command]

It is important to note that BadBlue will translate any special
characters denoted by a % sign before sending it to the destination
server, which makes it possible to send spaces, carriage returns and
other special characters.

ANALYSIS

Though proxy capabilities pose no direct threat to the server running
BadBlue, an attacker could use the proxy to bypass firewalls in order
to enter internal networks. Successful exploitation could also give an
attacker the cover of anonymity when compromising other servers by using
BadBlue as a proxy.

DETECTION

iDEFENSE has confirmed the existence of this vulnerability against
BadBlue Personal Edition 2.5 and below. It is suspected that the
Enterprise Edition is vulnerable as well.

WORKAROUND

iDEFENSE is unaware of any workarounds for this issue.

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

DISCLOSURE TIMELINE

11/27/2002  Exploit acquired by iDEFENSE

CREDIT

Texonet is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.