cFos Personal Net v3.09 Remote Heap Memory Corruption Denial of Service

Title: cFos Personal Net v3.09 Remote Heap Memory Corruption Denial of Service
Advisory ID: ZSL-2014-5184
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 24.04.2014
Summary
cFos Personal Net (PNet) is a full-featured HTTP server intended for personal and professional use. For personal use, instead of hosting websites with a webhoster, you just run it on your Windows machine. For professional use, you rent a virtual windows PC or dedicated PC from a webhoster and run it there.
Description
cFos Personal Net web server is vulnerable to a remote denial of service issue when processing multiple malformed POST requests in less than 3000ms. The issue occurs when the application fails to handle the data sent in the POST requests in a single socket connection causing heap memory corruption which results in a crash of the HTTP service.

--------------------------------------------------------------------------------

(658.1448): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for cfospnet.exe
eax=feeefeee ebx=02813dcc ecx=02813dcc edx=00000000 esi=028198b0 edi=02813c88
eip=00914529 esp=03b1fb94 ebp=03b1fbb8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
cfospnet+0x54529:
00914529 ff5004 call dword ptr [eax+4] ds:002b:feeefef2=????????
0:024> d ecx
02813dcc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813ddc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813dec ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813dfc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813e0c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813e1c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813e2c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813e3c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0:024> d
02813e4c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813e5c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813e6c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813e7c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813e8c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813e9c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813eac ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813ebc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0:024> d
02813ecc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813edc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813eec ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813efc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813f0c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813f1c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813f2c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813f3c ee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21 .............f.!
0:024> d
02813f4c 8e e8 06 18 d0 71 2d 04-c0 f8 80 02 d0 71 2d 04 .....q-......q-.
02813f5c 01 00 ad ba 5f 43 46 50-4e 45 54 5f 50 41 54 48 ...._CFPNET_PATH
02813f6c 00 f0 ad ba 0c 00 00 00-0f 00 00 00 90 41 2c 04 .............A,.
02813f7c 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 29 00 00 00 ............)...
02813f8c 2f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00 /...............
02813f9c 00 00 00 00 aa 66 9a 38-dc e8 06 00 10 31 2c 04 .....f.8.....1,.
02813fac d0 0c 81 02 ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813fbc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0:024> d
02813fcc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813fdc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813fec ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
02813ffc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0281400c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0281401c ee fe ee fe ee fe ee fe-ee fe ee fe be 66 99 2f .............f./
0281402c c6 e8 06 18 0a 00 00 00-6e 00 61 00 6d 00 65 00 ........n.a.m.e.
0281403c 3d 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00 =...............
0:024> d
0281404c 00 00 00 00 b0 66 9a 22-d2 e8 06 00 60 8b 80 02 .....f."....`...
0281405c 10 c9 2b 04 ee fe ee fe-ee fe ee fe ee fe ee fe ..+.............
0281406c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0281407c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0281408c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0281409c ee fe ee fe ee fe ee fe-ee fe ee fe b0 66 99 21 .............f.!
028140ac dc e8 06 18 e8 08 81 02-30 37 86 02 c0 4b 81 02 ........07...K..
028140bc 00 00 ad ba 52 45 51 55-45 53 54 5f 55 52 49 00 ....REQUEST_URI.
0:024> d
028140cc 0d f0 ad ba 0b 00 00 00-0f 00 00 00 08 41 81 02 .............A..
028140dc 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 1d 00 00 00 ................
028140ec 1f 00 00 00 ab ab ab ab-ab ab ab ab 00 00 00 00 ................
028140fc 00 00 00 00 bc 66 99 2d-dc e8 06 18 2f 73 63 72 .....f.-..../scr
0281410c 69 70 74 73 2f 67 65 74-5f 73 65 72 76 65 72 5f ipts/get_server_
0281411c 73 74 61 74 73 2e 6a 73-73 00 ad ba ab ab ab ab stats.jss.......
0281412c ab ab ab ab 00 00 00 00-00 00 00 00 ad 66 9a 3f .............f.?
0281413c d0 e8 06 00 c8 4a 2c 04-f0 18 2d 04 ee fe ee fe .....J,...-.....
0:024> d
0281414c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0281415c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0281416c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0281417c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0281418c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0281419c ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
028141ac ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
028141bc ee fe ee fe ee fe ee fe-ee fe ee fe ee fe ee fe ................
0:024> d esi
028198b0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
028198c0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
028198d0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
028198e0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
028198f0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
02819900 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
02819910 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
02819920 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................

--------------------------------------------------------------------------------

Vendor
cFos Software GmbH - https://www.cfos.de
Affected Version
3.09
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
[01.04.2014] Vendor has some knowledge about the issue.
[08.05.2014] Vendor released version 3.10 to address this issue.
PoC
cfos_dos.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://cxsecurity.com/issue/WLB-2014040160
[2] http://packetstormsecurity.com/files/126318
[3] http://www.securityfocus.com/bid/67060
[4] http://www.exploit-db.com/exploits/33018/
[5] http://secunia.com/advisories/58151/
[6] http://osvdb.org/show/osvdb/106284
[7] http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014040556
[8] http://www.cfos.de/en/cfos-personal-net/whats-new.htm
Changelog
[24.04.2014] - Initial release
[25.04.2014] - Added reference [2], [3], [4] and [5]
[26.04.2014] - Added reference [6]
[20.05.2014] - Added vendor status and reference [7] and [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk