BID:1603

Omron WorldView Wnn Asian Language Server Remote Buffer Overflow Vulnerability

Info

Omron WorldView Wnn Asian Language Server Remote Buffer Overflow Vulnerability

Bugtraq ID:	1603
Class:	Boundary Condition Error
CVE:	CVE-2000-0704
Remote:	Yes
Local:	No
Published:	Mar 08 2000 12:00AM
Updated:	Jul 11 2009 02:56AM
Credit:	This vulnerability was discovered by UNYUN <[email protected]>
Vulnerable:	Wnn Wnn4 4.2 -8 + Turbolinux Turbolinux 4.2 + Turbolinux Turbolinux 4.0 Wnn Wnn4 4.2 -5TL + Turbolinux Turbolinux 3.0 Wnn Wnn4 4.2 -2TL + Turbolinux Turbolinux 2.0 Omron WorldView 6.5 + SGI IRIX 6.5.15 m + SGI IRIX 6.5.15 f + SGI IRIX 6.5.15 + SGI IRIX 6.5.14 m + SGI IRIX 6.5.14 f + SGI IRIX 6.5.14 + SGI IRIX 6.5.13 m + SGI IRIX 6.5.13 f + SGI IRIX 6.5.13 + SGI IRIX 6.5.12 m + SGI IRIX 6.5.12 f + SGI IRIX 6.5.12 + SGI IRIX 6.5.11 m + SGI IRIX 6.5.11 f + SGI IRIX 6.5.11 + SGI IRIX 6.5.10 m + SGI IRIX 6.5.10 f + SGI IRIX 6.5.10 + SGI IRIX 6.5.9 m + SGI IRIX 6.5.9 f + SGI IRIX 6.5.9 + SGI IRIX 6.5.8 m + SGI IRIX 6.5.8 f + SGI IRIX 6.5.8 + SGI IRIX 6.5.7 m + SGI IRIX 6.5.7 f + SGI IRIX 6.5.7 + SGI IRIX 6.5.6 m + SGI IRIX 6.5.6 f + SGI IRIX 6.5.6 + SGI IRIX 6.5.5 m + SGI IRIX 6.5.5 f + SGI IRIX 6.5.5 + SGI IRIX 6.5.4 m + SGI IRIX 6.5.4 f + SGI IRIX 6.5.4 + SGI IRIX 6.5.3 m + SGI IRIX 6.5.3 f + SGI IRIX 6.5.3 + SGI IRIX 6.5.2 m + SGI IRIX 6.5.2 f + SGI IRIX 6.5.2 + SGI IRIX 6.5.1 + SGI IRIX 6.5 FreeWnn FreeWnn 1.1.1 -aXXX - Debian Linux 2.2 - Debian Linux 2.1 - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 - HP HP-UX 11.0 - HP HP-UX 10.20 - Mandriva Linux Mandrake 7.1 - Mandriva Linux Mandrake 7.0 - NetBSD NetBSD 1.4.2 x86 - NetBSD NetBSD 1.4.1 x86 - SGI IRIX 6.5 - SGI IRIX 6.4 - SGI IRIX 6.3 - SGI IRIX 6.2 - Sun Solaris 8_sparc - Sun Solaris 7.0 - Sun Solaris 2.6 - SuSE Linux 6.4 - SuSE Linux 6.3 FreeWnn FreeWnn 1.1 - Debian Linux 2.2 - Debian Linux 2.1 - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 - HP HP-UX 11.0 - HP HP-UX 10.20 - Mandriva Linux Mandrake 7.1 - Mandriva Linux Mandrake 7.0 - NetBSD NetBSD 1.4.2 x86 - NetBSD NetBSD 1.4.1 x86 - SGI IRIX 6.5 - SGI IRIX 6.4 - SGI IRIX 6.3 - SGI IRIX 6.2 - Sun Solaris 8_sparc - Sun Solaris 7.0 - Sun Solaris 2.6 - SuSE Linux 6.4 - SuSE Linux 6.3 FreeWnn FreeWnn 1.0 - Debian Linux 2.2 - Debian Linux 2.1 - FreeBSD FreeBSD 5.0 - FreeBSD FreeBSD 4.0 - HP HP-UX 11.0 - HP HP-UX 10.20 - Mandriva Linux Mandrake 7.1 - Mandriva Linux Mandrake 7.0 - NetBSD NetBSD 1.4.2 x86 - NetBSD NetBSD 1.4.1 x86 - SGI IRIX 6.5 - SGI IRIX 6.4 - SGI IRIX 6.3 - SGI IRIX 6.2 - Sun Solaris 8_sparc - Sun Solaris 7.0 - Sun Solaris 2.6 - SuSE Linux 6.4 - SuSE Linux 6.3

Not Vulnerable:

Discussion

Omron WorldView Wnn Asian Language Server Remote Buffer Overflow Vulnerability

A remote buffer overflow exists in the Asian language servers portion of a number of different implementations of Wnn. It has been reported that only systems that have WorldView Japanese, Korean, and Chinese installed are vulnerable to this issue. Wnn is a Kana-Kanji translation system, most commonly used for foreign language support in Unix systems.

An overflow exists when the server receives a long string with a Wnn command, such as JS_OPEN, JS_MKDIR or JS_FILE_INFO included. By creating a buffer containing machine executable code, it is possible to cause a remote system running the jserver daemon to execute arbitrary commands as the user the daemon is running as. This is frequently root.

Exploit / POC

Omron WorldView Wnn Asian Language Server Remote Buffer Overflow Vulnerability

The following exploit was provided by UNYUN ([email protected]).

/data/vulnerabilities/exploits/wnn4-exp.c

Solution / Fix

References

Omron WorldView Wnn Asian Language Server Remote Buffer Overflow Vulnerability

References:

freewnn (FreeWnn.org)
security problem of jserver (freewnn mailing list)
SGI Support (Silicon Graphics Inc.)
TurboLinux Support (TurboLinux)
Wnn4.2/FreeWnn1.10/FreeWnn1.1.1a016-jserver remote overflow exploit (shadow penguin security)