exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Geo++(R) GNCASTER Insecure Handling Of Long URLs

Geo++(R) GNCASTER Insecure Handling Of Long URLs
Posted Jan 27, 2010
Site redteam-pentesting.de

During a penetration test, RedTeam Pentesting discovered that the GNCASTER software does not handle long URLs correctly. An attacker can use this to crash the server software or potentially execute code on the server.Versions 1.4.07 and below are affected.

tags | exploit
SHA-256 | 67f6376c0ea6f3cd887c980ec39b831bccb583cf0aef753ee78c623a431765ae

Geo++(R) GNCASTER Insecure Handling Of Long URLs

Change Mirror Download
Advisory: Geo++(R) GNCASTER: Insecure handling of long URLs

During a penetration test, RedTeam Pentesting discovered that the
GNCASTER software does not handle long URLs correctly. An attacker can
use this to crash the server software or potentially execute code on the


Product: Geo++(R) GNCASTER
Affected Versions: <=
Fixed Versions:
Vulnerability Type: Memory corruption
Security Risk: high
Vendor URL: http://www.geopp.de
Vendor Status: notified
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2010-001
Advisory Status: published


"Geo++(R) GNCASTER is the Geo++ implementation of a NTRIP caster. NTRIP
is a protocol within RTCM to provide GNSS information via Internet."

(from the vendor's homepage)

More Details

The GNCaster software allows communication with clients through a subset
of the HTTP protocol. If an attacker sends an HTTP GET request for a
nonexistent URL path and the request is less than 988 bytes long, the
server reacts with an HTTP 404 error and the message

File "/AAAAAA[...]AAAA" not found on this server.

If the URL path length is 988 bytes or more, the HTTP 404 error is still
returned but the server thread stops before returning the message above.

If attackers send a sequence of such requests in quick succession, the
server can be reproducibly crashed. RedTeam Pentesting believes it is
also possible to exploit this vulnerability to execute code on the

Proof of Concept

The following command can be used to crash the server if it is called
multiple times:

$ curl -i "http://gncaster.example.com:1234/`perl -e 'printf "A"x988'`"


A vulnerable server could be protected from this vulnerability by an
application layer firewall that filters overly long HTTP GET requests.


Update GNCASTER to version

Security Risk

This vulnerability can be used for very efficient DoS attacks. This is
especially serious as GNCaster is a real time application that is
typically used by multiple mobile clients that rely on a functioning
server. The vulnerability could potentially also be leveraged to remote
code execution on the server. The risk is therefore regarded as high.


2009-07-06 Vulnerability identified during a penetration test
2009-07-14 Meeting with customer
2009-12-01 Vendor releases fixed version
2010-01-27 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at

RedTeam Pentesting GmbH Tel.: +49 241 963-1300
Dennewartstr. 25-27 Fax : +49 241 963-1304
52068 Aachen http://www.redteam-pentesting.de/
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck
Login or Register to add favorites

File Archive:

October 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    0 Files
  • 2
    Oct 2nd
    22 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By