Zero Science Lab » Serva 3.0.0 HTTP Server Module Remote Denial of Service Exploit

Serva 3.0.0 HTTP Server Module Remote Denial of Service Exploit

Title: Serva 3.0.0 HTTP Server Module Remote Denial of Service Exploit
Advisory ID: ZSL-2016-5378
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 12.12.2016

Summary

Serva is a light (~3 MB), yet powerful Microsoft Windows application. It was conceived mainly as an Automated PXE Server Solution Accelerator. It bundles on a single exe all of the underlying server protocols and services required by the most complex PXE network boot/install scenarios simultaneously delivering Windows and non-Windows assets to BIOS and UEFI based targets.

Description

The vulnerability is caused by the HTML (httpd) module and how it handles TCP requests. This can be exploited to cause a denial of service attack resulting in application crash.

--------------------------------------------------------------------------------


 (c1c.4bc): C++ EH exception - code e06d7363 (first chance)

 (c1c.4bc): C++ EH exception - code e06d7363 (!!! second chance !!!)

 *** WARNING: Unable to verify checksum for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe

 *** ERROR: Module load completed but symbols could not be loaded for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe

 eax=03127510 ebx=03127670 ecx=00000003 edx=00000000 esi=03127670 edi=031276a0

 eip=74a1c54f esp=03127510 ebp=03127560 iopl=0         nv up ei pl nz ac po nc

 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212

 KERNELBASE!RaiseException+0x58:

 74a1c54f c9              leave

 0:013> kb

 # ChildEBP RetAddr  Args to Child  
            
 00 03127560 004abaaf e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58

 WARNING: Stack unwind information not available. Following frames may be wrong.

 01 03127598 004cc909 031275b8 005e13e8 6ca23755 Serva32+0xabaaf

 02 03127608 004085d3 0211ecf8 03127670 ffffffff Serva32+0xcc909

 03 0312761c 004089a5 031276a0 fffffffd 00000004 Serva32+0x85d3

 04 0312764c 00408f01 03127670 fffffffd 00000004 Serva32+0x89a5

 05 03127698 00413b38 00000000 0040007a 00000000 Serva32+0x8f01

 06 031277d8 00000000 00000000 00000000 00000000 Serva32+0x13b38

--------------------------------------------------------------------------------

Vendor

Patrick Masotta - http://www.vercot.com

Affected Version

3.0.0.1001 (Community, Pro, 32/64bit)

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)

Vendor Status

[17.11.2016] Vulnerability discovered.
[17.11.2016] Contact with the vendor.
[18.11.2016] Vendor responds asking more details.
[21.11.2016] Sent details to the vendor.
[23.11.2016] Asked vendor for status update.
[11.12.2016] No response from the vendor.
[12.12.2016] Public security advisory released.

PoC

g6.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/40905/
[2] https://cxsecurity.com/issue/WLB-2016120063
[3] https://packetstormsecurity.com/files/140112
[4] http://www.vfocus.net/art/20161213/13199.html
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/119725

Changelog

[12.12.2016] - Initial release
[13.12.2016] - Added reference [1] and [2]
[16.12.2016] - Added reference [3], [4] and [5]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk