lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201306041607.r54G7PS4027818@sf01web2.securityfocus.com>
Date: Tue, 4 Jun 2013 16:07:25 GMT
From: dougtko@...il.com
To: bugtraq@...urityfocus.com
Subject: CVE-2013-3724 Monkey HTTPD 1.1.1 - Denial of Service Vulnerability

1. Title

   CVE-2013-3724 Monkey HTTPD 1.1.1 - Denial of Service Vul-
   nerability

2. Introduction

   Monkey is a  lightweight  and  powerful  web  server  for
   GNU/Linux.

   It  has been designed to be very scalable with low memory
   and CPU consumption, the perfect  solution  for  embedded
   devices. Made for ARM, x86 and x64.


3. Abstract

   The  vulnerability is a denial of service which is caused
   by sending a null byte in an  HTTP  request  to  the  web
   server.

4. Report Timeline

   2013-05-23
      Discovered vulnerability via fuzzing
   2013-05-25
      Vendor Notification
   2013-05-26
      Vendor Response/Feedback
   2013-05-27
      Vendor Fix/Patch
   2013-05-28
      Public disclosure

5. Status

      Published

6. Affected Products

      Monkey HTTPD 1.1.1

7. Exploitation Technique

      Remote

8. Details

      A  bug  discovered  in  Monkey's HTTP parser allows an
      attacker to cause a segmentation fault in one  of  the
      daemon's  threads  using  a  specially crafted request
      containing a null byte. An attacker can crash all  the
      available  threads  by  sending  the specially crafted
      request multiple times, rendering the  server  useless
      for legitimate users.

9. Proof of Concept

      The  vulnerability can be exploited by remote attacker
      without any special privileges. The placement  of  the
      null byte within the request does not seem to have any
      effect on the result. The null byte may even  be  used
      instead  of  an  HTTP method such as, GET. Below is an
      example of how this bug can be manually triggered:


     ruby -e 'puts "GET /\x00 HTTP/1.1\r\n\r\n"'|netcat localhost 2001


10. Solution

   This vulnerability has been fixed for the 1.2.0 release.

11. Risk

   The security risk of the DoS vulnerability  is  estimated
   as low.

12. References

   http://bugs.monkey-project.com/ticket/181

13. Credits

   Doug Prostko <dougtko[at]gmail[dot]com>
      Vulnerability discovery

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ