Geo++(R) GNCASTER: Faulty implementation of HTTPDigest Authentication

2010.02.07
Credit: RedTeam
Risk: Medium
Local: No
Remote: Yes

Advisory: Geo++(R) GNCASTER: Faulty implementation of HTTP Digest Authentication During a penetration test, RedTeam Pentesting discovered that the GNCaster software has multiple bugs in its implementation of HTTP Digest Authentication. Details ======= Product: Geo++(R) GNCASTER Affected Versions: <= 1.4.0.7 Fixed Versions: 1.4.0.8 Vulnerability Type: Various types Security Risk: low Vendor URL: http://www.geopp.de Vendor Status: notified Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2010-003 Advisory Status: published CVE: TBA CVE URL: TBA Introduction ============ "Geo++(R) GNCASTER is the Geo++ implementation of a NTRIP caster. NTRIP is a protocol within RTCM to provide GNSS information via Internet." (from the vendor's homepage) More Details ============ The authentication method required for requesting the path "/admin.htm" is HTTP Digest. The following flaws were identified during a penetration test: a) Even though the server states that HTTP Digest is required for authentication, a client can use HTTP Basic Authentication successfully. b) The server software generates the nonce used for HTTP Digest authentication only once when the server is started. This same nonce is then used for all authentication until the server is restarted. This makes the authentication prone to replay attacks. The nonce is the base64-encoded concatenation of the date and time the server was started and a 16 byte hex string. c) The server's response to a failed authentication request contains 32 bytes of data from the service's memory. This data sometimes contains parts of other users' HTTP requests. Which portion of memory is disclosed depends on the length of the HTTP request sent. By changing the length of e.g. any request header, attackers might also retrieve the authentication headers sent by other users. Workaround ========== None Fix === Update GNCASTER to version 1.4.0.8. Security Risk ============= Attackers that can record a user's login communication with the server can replay this authentication information to gain access to the admin interface. Attackers might also be able to gather other users' authentication headers from portions of memory disclosed by the server. However, the admin interface currently does not seem to offer much functionality. Therefore the risk of these vulnerabilities is regarded as low. History ======= 2009-07-07 Vulnerability identified during a penetration test 2009-07-14 Meeting with customer 2009-12-01 Vendor releases fixed version 2010-01-27 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 963-1300 Dennewartstr. 25-27 Fax : +49 241 963-1304 52068 Aachen http://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschftsfhrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBS2A0zNG/HXWsgFSuAQL0QAgAzMGEEfoRixUWQ7u1a5RctwXsSj2XNjYw iiijKsZHXbuqzaJHojYJZ6u18kFQGGIJvTVdUStirNt1oAdQvC+7UBEdCsWc2PmG p+iW/VAHdqHlUZ/+vYiJVSw0fWQVp/uVjG3wvNGiZdfb9EqEFscmOEY1uyvOlGBG OIcEUSCHawZsvzoc7jJNemSMZREdhHMsEH3h6zdwatcHV2RURLxIvgfVfQmwLvFZ WVq5fj9jF6Kjn8pBjaWwEIc9G+BCbueUxGHWhcV+6hg2NE4lT9Wc50mWBFTL0a24 xSPtKeaTmz9dy8JR4Ew5ag+316hltepQuva7gmeNY6HUksVQj2BsWw== =LJh3 -----END PGP SIGNATURE-----

References:

http://xforce.iss.net/xforce/xfdb/55978
http://www.securityfocus.com/archive/1/archive/1/509199/100/0/threaded
http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-003/-geo-r-gncaster-faulty-implementation-of-http-digest-authentication
http://secunia.com/advisories/38323
http://osvdb.org/62015


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top