Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [RT-SA-2010-001] Geo++(R) GNCASTER: Insecure handling of long URLs
From: Jeff Williams <jeffwillis30 () gmail com>
Date: Wed, 27 Jan 2010 08:10:37 -0500

RedTeam Pentesting believes it is
also possible to exploit this vulnerability to execute code on the
server.

Cant you open a debugger ?






Proof of Concept
================

The following command can be used to crash the server if it is called
multiple times:

$ curl -i "http://gncaster.example.com:1234/`perl<http://gncaster.example.com:1234/%60perl>-e 'printf "A"x988'`"



Jeremy's back yo !




Workaround
==========

A vulnerable server could be protected from this vulnerability by an
application layer firewall that filters overly long HTTP GET requests.


Fix
===

Update GNCASTER to version 1.4.0.8.


Security Risk
=============

This vulnerability can be used for very efficient DoS attacks. This is
especially serious as GNCaster is a real time application that is
typically used by multiple mobile clients that rely on a functioning
server. The vulnerability could potentially also be leveraged to remote
code execution on the server. The risk is therefore regarded as high.


History
=======

2009-07-06 Vulnerability identified during a penetration test
2009-07-14 Meeting with customer

// 8 days later, wtf ?!?

2009-12-01 Vendor releases fixed version
2010-01-27 Advisory released

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault