OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[RT-SA-2010-003] Geo++(R) GNCASTER: Faulty implementation of HTTP Digest Authentication

From: RedTeam Pentesting GmbH (releaseredteam-pentesting.de)
Date: Wed Jan 27 2010 - 06:42:53 CST


Advisory: Geo++(R) GNCASTER: Faulty implementation of HTTP Digest
          Authentication

During a penetration test, RedTeam Pentesting discovered that the
GNCaster software has multiple bugs in its implementation of HTTP Digest
Authentication.

Details
=======

Product: Geo++(R) GNCASTER
Affected Versions: <= 1.4.0.7
Fixed Versions: 1.4.0.8
Vulnerability Type: Various types
Security Risk: low
Vendor URL: http://www.geopp.de
Vendor Status: notified
Advisory URL: http://www.redteam-pentesting.de/advisories/rt-sa-2010-003
Advisory Status: published
CVE: TBA
CVE URL: TBA

Introduction
============

"Geo++(R) GNCASTER is the Geo++ implementation of a NTRIP caster. NTRIP
is a protocol within RTCM to provide GNSS information via Internet."

(from the vendor's homepage)

More Details
============

The authentication method required for requesting the path "/admin.htm"
is HTTP Digest. The following flaws were identified during a penetration
test:

a) Even though the server states that HTTP Digest is required for
authentication, a client can use HTTP Basic Authentication successfully.

b) The server software generates the nonce used for HTTP Digest
authentication only once when the server is started. This same nonce is
then used for all authentication until the server is restarted. This
makes the authentication prone to replay attacks. The nonce is the
base64-encoded concatenation of the date and time the server was started
and a 16 byte hex string.
 
c) The server's response to a failed authentication request contains 32
bytes of data from the service's memory. This data sometimes contains
parts of other users' HTTP requests. Which portion of memory is
disclosed depends on the length of the HTTP request sent. By changing
the length of e.g. any request header, attackers might also retrieve the
authentication headers sent by other users.

Workaround
==========

None

Fix
===

Update GNCASTER to version 1.4.0.8.

Security Risk
=============

Attackers that can record a user's login communication with the server
can replay this authentication information to gain access to the admin
interface. Attackers might also be able to gather other users'
authentication headers from portions of memory disclosed by the server.
However, the admin interface currently does not seem to offer much
functionality. Therefore the risk of these vulnerabilities is regarded
as low.

History
=======

2009-07-07 Vulnerability identified during a penetration test
2009-07-14 Meeting with customer
2009-12-01 Vendor releases fixed version
2010-01-27 Advisory released

RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
http://www.redteam-pentesting.de.

--
RedTeam Pentesting GmbH Tel.: +49 241 963-1300
Dennewartstr. 25-27 Fax : +49 241 963-1304
52068 Aachen http://www.redteam-pentesting.de/
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBS2A0zNG/HXWsgFSuAQL0QAgAzMGEEfoRixUWQ7u1a5RctwXsSj2XNjYw
iiijKsZHXbuqzaJHojYJZ6u18kFQGGIJvTVdUStirNt1oAdQvC+7UBEdCsWc2PmG
p+iW/VAHdqHlUZ/+vYiJVSw0fWQVp/uVjG3wvNGiZdfb9EqEFscmOEY1uyvOlGBG
OIcEUSCHawZsvzoc7jJNemSMZREdhHMsEH3h6zdwatcHV2RURLxIvgfVfQmwLvFZ
WVq5fj9jF6Kjn8pBjaWwEIc9G+BCbueUxGHWhcV+6hg2NE4lT9Wc50mWBFTL0a24
xSPtKeaTmz9dy8JR4Ew5ag+316hltepQuva7gmeNY6HUksVQj2BsWw==
=LJh3
-----END PGP SIGNATURE-----