Overview
===============
DartWebserver.Dll is an HTTP server provided by Dart Comunications
(dart.com). It is distributed in their PowerTCP/Webserver For ActiveX
product and likely other similar products.
"Build web applications in any familiar software development
environment. Use WebServer for ActiveX to add web-based access to
traditional compiled applications."
Version 1.9.2 and prior is vulnerable to a null pointer dereference,
these maybe generated by making a malformed request to the server.
Analysis
===============
During the processing of incoming HTTP requests the server may process
malformed requests leading to the a null pointer dereference, this
causes an exception which is not handled and the parent process
crashes. This will lead to a Denial of Service (DoS) condition. To my
knowledge this bug can *not* be used to gain access to any other CPU
registers.
The malformed packet of the format:
GET / HTTP/1.1\nContent-Length:-1\n\n
The reliability of this bug is low, requiring upwards of several
hundred requests to be processed before causing the exception. This
may be system specific, relying heavily on the host operating system's
pre-existing condition. So, if at first you do not succeed in
replicating this bug - try and try again.
Timeline
===============
10/15/2012 - Contacted vendor with an incident report.
10/15/2012 - Contacted Mitre for CVE assignment
10/17/2012 - CVE-ID Assigned
10/18/2012 - Contacted vendor with assigned CVE-ID
10/19/2012 - Vendor replied with questions about the incident report
and vulnerability
10/19/2012 - Incident report found, vulnerability details clarified
10/30/2012 - Vendor contacted researcher with an update of the status
of the bug report, indicating they do not have time to investigate the
cause of the vulnerability.
04/08/2013 - Public disclosure to Bugtraq.
More information
===============
To see more of my work and research, stop by to visit and follow my blog:
http://sadgeeksinsnow.blogspot.com/