← Advisories

Serva 3.0.0 HTTP Server Module Remote Denial of Service Exploit

Medium
Advisory ID
ZSL-2016-5378
Release Date
12 December 2016
Vendor
Patrick Masotta - http://www.vercot.com
Affected Version
3.0.0.1001 (Community, Pro, 32/64bit)
CVE
N/A
Tested On
Microsoft Windows 7 Professional SP1 (EN), Microsoft Windows 7 Ultimate SP1 (EN)
Summary

Serva is a light (~3 MB), yet powerful Microsoft Windows application. It was conceived mainly as an Automated PXE Server Solution Accelerator. It bundles on a single exe all of the underlying server protocols and services required by the most complex PXE network boot/install scenarios simultaneously delivering Windows and non-Windows assets to BIOS and UEFI based targets.

Description

The vulnerability is caused by the HTML (httpd) module and how it handles TCP requests. This can be exploited to cause a denial of service attack resulting in application crash.

(c1c.4bc): C++ EH exception - code e06d7363 (first chance) (c1c.4bc): C++ EH exception - code e06d7363 (!!! second chance !!!) *** WARNING: Unable to verify checksum for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe *** ERROR: Module load completed but symbols could not be loaded for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe eax=03127510 ebx=03127670 ecx=00000003 edx=00000000 esi=03127670 edi=031276a0 eip=74a1c54f esp=03127510 ebp=03127560 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 KERNELBASE!RaiseException+0x58: 74a1c54f c9 leave 0:013> kb # ChildEBP RetAddr Args to Child 00 03127560 004abaaf e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58 WARNING: Stack unwind information not available. Following frames may be wrong. 01 03127598 004cc909 031275b8 005e13e8 6ca23755 Serva32+0xabaaf 02 03127608 004085d3 0211ecf8 03127670 ffffffff Serva32+0xcc909 03 0312761c 004089a5 031276a0 fffffffd 00000004 Serva32+0x85d3 04 0312764c 00408f01 03127670 fffffffd 00000004 Serva32+0x89a5 05 03127698 00413b38 00000000 0040007a 00000000 Serva32+0x8f01 06 031277d8 00000000 00000000 00000000 00000000 Serva32+0x13b38
Proof of Concept
g6.pyTXT
Disclosure Timeline
17.11.2016Vulnerability discovered.
17.11.2016Contact with the vendor.
18.11.2016Vendor responds asking more details.
21.11.2016Sent details to the vendor.
23.11.2016Asked vendor for status update.
11.12.2016No response from the vendor.
12.12.2016Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/40905/
[2]https://cxsecurity.com/issue/WLB-2016120063
[3]https://packetstormsecurity.com/files/140112
[4]http://www.vfocus.net/art/20161213/13199.html
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/119725
Changelog
12.12.2016Initial release
13.12.2016Added reference [1] and [2]
16.12.2016Added reference [3], [4] and [5]