Geo++(R) GNCASTER: Insecure handling of long URLs

2010-02-07 / 2010-02-08
Credit: RedTeam
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Advisory: Geo++(R) GNCASTER: Insecure handling of long URLs During a penetration test, RedTeam Pentesting discovered that the GNCASTER software does not handle long URLs correctly. An attacker can use this to crash the server software or potentially execute code on the server. Details ======= Product: Geo++(R) GNCASTER Affected Versions: <= 1.4.0.7 Fixed Versions: 1.4.0.8 Vulnerability Type: Memory corruption Security Risk: high Vendor URL: http://www.geopp.de Vendor Status: notified Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2010-001 Advisory Status: published CVE: TBA CVE URL: TBA Introduction ============ "Geo++(R) GNCASTER is the Geo++ implementation of a NTRIP caster. NTRIP is a protocol within RTCM to provide GNSS information via Internet." (from the vendor's homepage) More Details ============ The GNCaster software allows communication with clients through a subset of the HTTP protocol. If an attacker sends an HTTP GET request for a nonexistent URL path and the request is less than 988 bytes long, the server reacts with an HTTP 404 error and the message File "/AAAAAA[...]AAAA" not found on this server. If the URL path length is 988 bytes or more, the HTTP 404 error is still returned but the server thread stops before returning the message above. If attackers send a sequence of such requests in quick succession, the server can be reproducibly crashed. RedTeam Pentesting believes it is also possible to exploit this vulnerability to execute code on the server. Proof of Concept ================ The following command can be used to crash the server if it is called multiple times: $ curl -i "http://gncaster.example.com:1234/`perl -e 'printf "A"x988'`" Workaround ========== A vulnerable server could be protected from this vulnerability by an application layer firewall that filters overly long HTTP GET requests. Fix === Update GNCASTER to version 1.4.0.8. Security Risk ============= This vulnerability can be used for very efficient DoS attacks. This is especially serious as GNCaster is a real time application that is typically used by multiple mobile clients that rely on a functioning server. The vulnerability could potentially also be leveraged to remote code execution on the server. The risk is therefore regarded as high. History ======= 2009-07-06 Vulnerability identified during a penetration test 2009-07-14 Meeting with customer 2009-12-01 Vendor releases fixed version 2010-01-27 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 963-1300 Dennewartstr. 25-27 Fax : +49 241 963-1304 52068 Aachen http://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschftsfhrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBS2A0E9G/HXWsgFSuAQLJeggAzJXE3eZR1aJRPhKvw1fO6R0XUmVD2qsn 4h53PswQvtpdfwH78dCY6kutmmqUlgoT4iwGvkBfUe/L9dhjScNM0h/A4AKu5KFX d3ECcbPCY6rob78RdSISAJXZXUtlRLHZYKhEMgIy2qK/x3Z6bUU/czYoezrsHLLQ QS/YU4cFOCfKg+T761AU2wtLXZ1nly7NljQL2oXW8GBZOYlHaQaSPnkHl75KZDKh 6YSsKW7Lnl/6O2jadssrdoaQplNygHS/LjbqHapjxFHv+ALVPxLq+Mas0tjB+VUi ZQucflb0vkRE25zTXPPsW6XrqIfQS9TpmSiP6gsazPbSSZCzZQAUtw== =P2mF -----END PGP SIGNATURE-----

References:

http://xforce.iss.net/xforce/xfdb/55974
http://www.securityfocus.com/archive/1/archive/1/509194/100/0/threaded
http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-001/-geo-r-gncaster-insecure-handling-of-long-urls
http://secunia.com/advisories/38323
http://osvdb.org/62011


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top