OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Mon Sep 30 2002 - 09:09:59 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 09.30.2002
    Buffer Overflow in WN Server

    DESCRIPTION

    Versions 1.18.2 through 2.0.0 of John Franks’ WN Server application
    are suceptible to remote exploition of a buffer overflow that an
    attacker could cause arbitrary code execution under the privileges of
    the targeted server. Exploitation is possible by issuing WN Server a
    long GET request. In order to successfully exploit this
    vulnerability, customized shell code is required to bypass the
    character filtering that WN Server imposes on the requested URI.

    "WN is a Web server which runs on a wide variety of UNIX platforms
    and is freely available at no cost for any use under the terms of the
    GNU General Public License." It is included in the latest FreeBSD
    ports collection as well.

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2002-1166 to this issue.

    ANALYSIS

    The following is a snapshot of an exploit at
    work:

    $ (./wn_bof 0 3; cat) | nc target 80
    Trying ret=0xbfbeb4ec
    $ id
    uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
    $ uname
    FreeBSD

    Exploitation of a buffer overflow usually results in one of two
    things: the targeted host process/application/host crashes, or
    arbitrary code executes. Both have serious repercussions, but in most
    cases code execution is more threatening in that it could allow for
    the further usurpation of higher-level privileges on the targeted
    host.

    DETECTION

    wn-1.18.2 - wn-2.0.0, which is included in the current version of the
    FreeBSD Project’s FreeBSD ports collection, is vulnerable. Take the
    following steps to determine whether a specific WN implementation is
    susceptible:

    1. Ensure that WN is running and open two terminals.
    2. In the first terminal execute:
        $ (perl -e 'print "GET /" . "a"x1600';cat)|nc localhost 80
    3. In the second terminal, determine the process ID of the child that
    was spawned to handle the previous command, and attach GDB to it:
        # ps ax | grep swn
          4223 ?? Ss 0:00.29 ./swn
          4711 ?? S 0:00.01 ./swn
        # gdb ./swn 4711
          GNU gdb 4.18
          Copyright 1998 Free Software Foundation, Inc.
          ...
    4. In the second terminal, type 'c' telling GDB to continue.
    5. In the first terminal, press enter. If at this point the following
    output is returned from GDB, then a vulnerable WN implementation is
    running:
        Program received signal SIGSEGV, Segmentation fault.
    0x61616161 in ?? ()

    VENDOR RESPONSE

    WN Server 2.4.4 is available at
    http://hopf.math.nwu.edu/wn-2.4.4.tar.gz. Users should strongly
    consider deploying the latest version.

    DISCLOSURE TIMELINE

    8/29/2002 Disclosed to iDEFENSE
    9/24/2002 Disclosed to vendor John Franks
    (johnmath.northwestern.edu)
    9/24/2002 Dislcosed to iDEFNESE Clients
    9/25/2002 Vendor Response
    9/30/2002 Public Disclosure

    CREDIT

    This issue was exlcusively disclosed to iDEFENSE by badc0ded
    (badc0dedbadc0ded.com).

    Get paid for security research
    http://www.idefense.com/contributor.html

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPZhaokrdNYRLCswqEQILZgCgmAZBDm1liSYpJUp/xuEteexTKxcAoKsn
    jIM76+eB+UCeSaINIzyur/D/
    =b1Ja
    -----END PGP SIGNATURE-----