Re: [RT-SA-2010-001] Geo++(R) GNCASTER: Insecure handling of long URLs

[Jeff Williams <jeffwillis30 () gmail com>]

> RedTeam Pentesting believes it is
> also possible to exploit this vulnerability to execute code on the
> server.
>
> Cant you open a debugger ?





> Proof of Concept
> ================
>
> The following command can be used to crash the server if it is called
> multiple times:
>
> $ curl -i "http://gncaster.example.com:1234/`perl<http://gncaster.example.com:1234/%60perl>-e 'printf "A"x988'`"
Jeremy's back yo !



> Workaround
> ==========
>
> A vulnerable server could be protected from this vulnerability by an
> application layer firewall that filters overly long HTTP GET requests.
>
>
> Fix
> ===
>
> Update GNCASTER to version 1.4.0.8.
>
>
> Security Risk
> =============
>
> This vulnerability can be used for very efficient DoS attacks. This is
> especially serious as GNCaster is a real time application that is
> typically used by multiple mobile clients that rely on a functioning
> server. The vulnerability could potentially also be leveraged to remote
> code execution on the server. The risk is therefore regarded as high.
>
>
> History
> =======
>
> 2009-07-06 Vulnerability identified during a penetration test
> 2009-07-14 Meeting with customer
// 8 days later, wtf ?!?

> 2009-12-01 Vendor releases fixed version
> 2010-01-27 Advisory released
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/