BACnet Test Server 1.01 Remote Denial of Service Exploit

Title: BACnet Test Server 1.01 Remote Denial of Service Exploit
Advisory ID: ZSL-2020-5597
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 06.10.2020
Summary
This is a simple BACnet Server aimed at developers who want to explore or test their BACnet Client implementations of the ASHRAE BACnet protocol. It is based on Steve Karg's fine implementation of the BACnet Stack.
Description
The BACNet Test Server is vulnerable to a denial of service (DoS) vulnerability when sending malformed BVLC Length UDP packet to port 47808 causing the application to crash.

--------------------------------------------------------------------------------

(67c.2f34): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\BACnet Interoperability Testing Services, Inc\BACnet Server\Server.exe
eax=00600000 ebx=00692000 ecx=009bd796 edx=005fee00 esi=005fec04 edi=005fed00
eip=00994313 esp=005fec04 ebp=005fed00 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
Server+0x34313:
00994313 8810 mov byte ptr [eax],dl ds:002b:00600000=??
0:000> d 994313 +77
0099438a cccccccc
0099438e cccccccc
00994392 cccccccc
00994396 cccccccc
0099439a cccccccc
0:000> d esp
005fec04 005ff3f8
005fec08 005ff408
005fec0c 00692000
005fec10 cccccccc
005fec14 cccccccc
004fec18 cccccccc

--------------------------------------------------------------------------------

Vendor
BACnet Interoperability Test Services, Inc. - https://www.bac-test.com
Affected Version
1.01 (BACnet Stack Version 0.5.7)
Tested On
Microsoft Windows 10 Professional (EN)
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
N/A
PoC
bacnet_server_dos.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/48860
[2] https://packetstormsecurity.com/files/159504
[3] https://cxsecurity.com/issue/WLB-2020100045
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/189567
Changelog
[06.10.2020] - Initial release
[18.10.2020] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk