BadBlue Denial Of Service
Vendor: BadBlue
Product: BadBlue
Version: <= 2.5
BID: 10983
CVE: CVE-2004-1727
OSVDB: 9107
SECUNIA: 12346
Share photos, videos, music, and business files with friends and colleagues instantly. Tired of paying a service to share your files (and the hassle of sending your files to their site) BadBlue shares files directly from your own PC, using the cable /DSL/broadband/dialup connection you already paid for! BadBlue lets you run a no-hassle Web site on your own PC for free, including a domain name you can choose. Within seconds, you can transform your PC into a friendly, file-sharing Web server with all the power of a real server on the Internet. Remote users can search for files, explore your shared folders, and run full-blown applications created in HTML, PHP, Perl, and so on.

Denial Of Service Vulnerability:
BadBlue Webserver cannot handle multiple connections from the same host, and will deny all acess to any users at right around twenty four simultaneous connections. I have included a proof of concept that floods the target server with a number of connections, and then basically keeps those connections up for as long as you specify, thus blocking all other traffic to the affected server.

Proof of Concept:
BadBlue Webserver Denial of Service POC Code

The development team has been contacted and said they will be looking into this issue shortly. Users are advised to upgrade as soon as possible.

James Bercegay of the GulfTech Security Research Team.