-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
iDEFENSE Security Advisory 09.30.2002 Buffer Overflow in WN Server
Versions 1.18.2 through 2.0.0 of John Franks’ WN Server application are suceptible to remote exploition of a buffer overflow that an attacker could cause arbitrary code execution under the privileges of the targeted server. Exploitation is possible by issuing WN Server a long GET request. In order to successfully exploit this vulnerability, customized shell code is required to bypass the character filtering that WN Server imposes on the requested URI.
"WN is a Web server which runs on a wide variety of UNIX platforms and is freely available at no cost for any use under the terms of the GNU General Public License." It is included in the latest FreeBSD ports collection as well.
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1166 to this issue.
The following is a snapshot of an exploit at work:
$ (./wn_bof 0 3; cat) | nc target 80 Trying ret=0xbfbeb4ec $ id uid=65534(nobody) gid=65534(nobody) groups=65534(nobody) $ uname FreeBSD
Exploitation of a buffer overflow usually results in one of two things: the targeted host process/application/host crashes, or arbitrary code executes. Both have serious repercussions, but in most cases code execution is more threatening in that it could allow for the further usurpation of higher-level privileges on the targeted host.
wn-1.18.2 - wn-2.0.0, which is included in the current version of the FreeBSD Project’s FreeBSD ports collection, is vulnerable. Take the following steps to determine whether a specific WN implementation is susceptible:
WN Server 2.4.4 is available at http://hopf.math.nwu.edu/wn-2.4.4.tar.gz. Users should strongly consider deploying the latest version.
8/29/2002 Disclosed to iDEFENSE 9/24/2002 Disclosed to vendor John Franks (firstname.lastname@example.org) 9/24/2002 Dislcosed to iDEFNESE Clients 9/25/2002 Vendor Response 9/30/2002 Public Disclosure
This issue was exlcusively disclosed to iDEFENSE by badc0ded (email@example.com).
Get paid for security research http://www.idefense.com/contributor.html
David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071
-----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
iQA/AwUBPZhaokrdNYRLCswqEQILZgCgmAZBDm1liSYpJUp/xuEteexTKxcAoKsn jIM76+eB+UCeSaINIzyur/D/ =b1Ja -----END PGP SIGNATURE-----