BACnet Test Server Denial-of-Service Vulnerability

A remote denial-of-service vulnerability has been identified in BACnet Test Server versions through 1.01. The issue arises in the BACnet/IP BVLC packet handling, where the server fails to properly validate the BVLC Length field in incoming UDP BVLC frames on the default BACnet port (47808/udp). This lack of validation allows a remote, unauthenticated attacker to send a malformed BVLC Length value, triggering an access violation that crashes the application and causes a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to an access violation, causing the application to crash and creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a malformed BVLC Length UDP packet to port 47808. This can be done using a Perl script that creates a UDP socket, connects to the target server, and sends the malformed packet. The server will crash upon receiving the packet, demonstrating the denial-of-service vulnerability.