|
BadBlue Web Server Denial of Service Vulnerability
|
August 20, 2004
|
|
|
Description:
Share photos, videos, music, and business files with friends
and colleagues instantly. Tired of paying a service to share
your files (and the hassle of sending your files to their site)
BadBlue shares files directly from your own PC, using the cable
/DSL/broadband/dialup connection you already paid for! BadBlue
lets you run a no-hassle Web site on your own PC for free,
including a domain name you can choose. Within seconds, you can
transform your PC into a friendly, file-sharing Web server with
all the power of a real server on the Internet. Remote users can
search for files, explore your shared folders, and run full-blown
applications created in HTML, PHP, Perl, and so on.
Denial Of Service Vulnerability:
BadBlue Webserver cannot handle multiple connections from the same
host, and will deny all acess to any users at right around twenty
four simultaneous connections. I have included a proof of concept
that floods the target server with a number of connections, and then
basically keeps those connections up for as long as you specify, thus
blocking all other traffic to the affected server.
Proof of Concept:
BadBlue Webserver Denial of Service POC Code
Solution:
The development team has been contacted and said they will be looking into
this issue shortly. Users are advised to upgrade as soon as possible.
Credits:
James Bercegay of the GulfTech Security Research Team.
|
|
|
