Serva 3.0.0 HTTP Server Module Remote Denial of Service Exploit
Title: Serva 3.0.0 HTTP Server Module Remote Denial of Service Exploit
Advisory ID: ZSL-2016-5378
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 12.12.2016
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Microsoft Windows 7 Ultimate SP1 (EN)
[17.11.2016] Contact with the vendor.
[18.11.2016] Vendor responds asking more details.
[21.11.2016] Sent details to the vendor.
[23.11.2016] Asked vendor for status update.
[11.12.2016] No response from the vendor.
[12.12.2016] Public security advisory released.
[2] https://cxsecurity.com/issue/WLB-2016120063
[3] https://packetstormsecurity.com/files/140112
[4] http://www.vfocus.net/art/20161213/13199.html
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/119725
[13.12.2016] - Added reference [1] and [2]
[16.12.2016] - Added reference [3], [4] and [5]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5378
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 12.12.2016
Summary
Serva is a light (~3 MB), yet powerful Microsoft Windows application. It was conceived mainly as an Automated PXE Server Solution Accelerator. It bundles on a single exe all of the underlying server protocols and services required by the most complex PXE network boot/install scenarios simultaneously delivering Windows and non-Windows assets to BIOS and UEFI based targets.Description
The vulnerability is caused by the HTML (httpd) module and how it handles TCP requests. This can be exploited to cause a denial of service attack resulting in application crash.--------------------------------------------------------------------------------
(c1c.4bc): C++ EH exception - code e06d7363 (first chance)
(c1c.4bc): C++ EH exception - code e06d7363 (!!! second chance !!!)
*** WARNING: Unable to verify checksum for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe
eax=03127510 ebx=03127670 ecx=00000003 edx=00000000 esi=03127670 edi=031276a0
eip=74a1c54f esp=03127510 ebp=03127560 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212
KERNELBASE!RaiseException+0x58:
74a1c54f c9 leave
0:013> kb
# ChildEBP RetAddr Args to Child
00 03127560 004abaaf e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
WARNING: Stack unwind information not available. Following frames may be wrong.
01 03127598 004cc909 031275b8 005e13e8 6ca23755 Serva32+0xabaaf
02 03127608 004085d3 0211ecf8 03127670 ffffffff Serva32+0xcc909
03 0312761c 004089a5 031276a0 fffffffd 00000004 Serva32+0x85d3
04 0312764c 00408f01 03127670 fffffffd 00000004 Serva32+0x89a5
05 03127698 00413b38 00000000 0040007a 00000000 Serva32+0x8f01
06 031277d8 00000000 00000000 00000000 00000000 Serva32+0x13b38
--------------------------------------------------------------------------------
Vendor
Patrick Masotta - http://www.vercot.comAffected Version
3.0.0.1001 (Community, Pro, 32/64bit)Tested On
Microsoft Windows 7 Professional SP1 (EN)Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[17.11.2016] Vulnerability discovered.[17.11.2016] Contact with the vendor.
[18.11.2016] Vendor responds asking more details.
[21.11.2016] Sent details to the vendor.
[23.11.2016] Asked vendor for status update.
[11.12.2016] No response from the vendor.
[12.12.2016] Public security advisory released.
PoC
g6.pyCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/40905/[2] https://cxsecurity.com/issue/WLB-2016120063
[3] https://packetstormsecurity.com/files/140112
[4] http://www.vfocus.net/art/20161213/13199.html
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/119725
Changelog
[12.12.2016] - Initial release[13.12.2016] - Added reference [1] and [2]
[16.12.2016] - Added reference [3], [4] and [5]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk