X5 Webserver 5.0 Remote Denial Of Service Exploit
Summary
Credit:
The information has been provided by Stefan Petrushevski aka sm –
The original article can be found at: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5377.php
Details
Vulnerable Systems:
* iMatrix X5 Webserver 5.0a0
The vulnerability is caused due to a NULL pointer dereference when processing malicious HEAD and GET requests. This can be exploited to cause denial of service scenario.
——————————————————————————–
(12c0.164c): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:zslabws64327xitami-5.0a0-windowsxitami.exe
*** ERROR: Module load completed but symbols could not be loaded for C:zslabws64327xitami-5.0a0-windowsxitami.exe
eax=0070904d ebx=03a91808 ecx=0070904d edx=00000000 esi=0478fef4 edi=0478fe8c
eip=00503ae0 esp=0478fb28 ebp=0478fb48 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
xitami+0x103ae0:
00503ae0 8b02 mov eax,dword ptr [edx] ds:002b:00000000=????????
0:004> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0478fb48 00460ee6 0ace0840 04025ea0 0478fd78 xitami+0x103ae0
01 0478fe8c 0045f6fa 0ace0bd8 0478ff28 cccccccc xitami+0x60ee6
02 0478fee8 004c60a1 0478ff14 00000000 0478ff38 xitami+0x5f6fa
03 0478ff28 004fdca3 03a90858 03a67e38 00000000 xitami+0xc60a1
04 0478ff40 00510293 03a90858 fc134d7d 00000000 xitami+0xfdca3
05 0478ff7c 00510234 00000000 0478ff94 7679338a xitami+0x110293
06 0478ff88 7679338a 03a91808 0478ffd4 77029902 xitami+0x110234
07 0478ff94 77029902 03a91808 7134bcc2 00000000 kernel32!BaseThreadInitThunk+0xe
08 0478ffd4 770298d5 00510190 03a91808 00000000 ntdll!__RtlUserThreadStart+0x70
09 0478ffec 00000000 00510190 03a91808 00000000 ntdll!_RtlUserThreadStart+0x1b
——————————————————————————–
Vendor Status:
[15.11.2016] Vulnerability discovered.
[17.11.2016] Vendor contacted.
[29.11.2016] No response from the vendor.
[30.11.2016] Public security advisory released.
Disclosure Timeline:
Release Date: 30.11.2016