(Old Bug - Has Been Fixed) Re: Monkey HTTP Daemon Discloses Files on the System to Remote Users
|
|
SecurityTracker Alert ID: 1005308 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 27 2002
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 0.1.4
|
Description: An information disclosure vulnerability was reported in the Monkey HTTP Daemon. A remote user can view files located outside of the web server document directory.
Illegal Instruction Labs warned that a remote user can supply a specially crafted URL containing the '../' directory traversal string
to view files located outside of the SERVER_ROOT directory that are readable by the web server process.
According to the report,
if the request is for the root directory ('/') or if the second character of the request is a period ('.'), then the path will be
set to SERVER_ROOT. So, a remote user must craft the following type of request to exploit the flaw:
GET //../../../../../../../../../etc/passwd
HTTP/1.0
Some demonstration exploit code is provided in the Source Message.
|
Impact: A remote user can view files located outside of the web server document directory that are readable by the web server process.
|
Solution: A user reports that this is an old vulnerability that was originally reported in December 2001 and has since been fixed. The current version of Monkey is 0.5.0.
|
Vendor URL: monkeyd.sourceforge.net/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "Daniel R. Ome" <keziah@uole.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 26 Sep 2002 15:42:41 -0300
From: "Daniel R. Ome" <keziah@uole.com>
Subject: Re: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server
|
En Wed, Sep 25, 2002 at 09:10:45AM -0000,
DownBload escribió sobre IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server:
>
>
>
> [ Illegal Instruction Labs Advisory ]
> [-------------------------------------------------------------------------]
> Advisory name: Reverse traversal vulnerability in Monkey (0.1.4) HTTP
> server
> Advisory number: 12
> Application: Monkey (0.1.4) HTTP server
> Application author: Eduardo Silva (EdsipeR)
> Author e-mail: edsiper@linux-chile.org
> Monkey Project: http://monkeyd.sourceforge.net
> Date: 06.09.2002
> Impact: Attacker can read files out of SERVER_ROOT directory
>
> ...
> ======[ Problem
> Monkey doesn't check HTTP request for ../ string, and because of that,
> attacker can view any file out of SERVER_ROOT directory which Monkey can
> read (if Monkey is running under root account, attacker can read any file
> on that machine).
> There is still one thing which will make attack a little more "complicate":
> ...
>
> Translated to (poor:) english:
> If our request is / or second char of our request is . , than path will be
> set to SERVER_ROOT, and in that case, we can't go out of SERVER_ROOT
> directory.
>
> Previous "if" will prevent simple reverse traversal attack like this one:
> ---cut here---
> GET /../../../../../../../../../etc/passwd HTTP/1.0
> ---cut here---
>
> But can't prevent this reverse traversal attack:
> ---cut here---
> GET //../../../../../../../../../etc/passwd HTTP/1.0
> ---cut here---
>
Hi:
This bug was reported in December 2001 and corrected in following
versions. Anyway recently was released Monkey 0.5.0.
Nos vemos
Daniel
--
Daniel R. Ome | Adán comió la manzana, y todavía
Jujuy - R.A. | nos duelen las muelas.
Linux User 165078 | Proverbio húngaro.
|
|
