Monit Buffer Overflow Lets Remote Users Obtain Root Privileges
|
|
SecurityTracker Alert ID: 1008290
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 24 2003
|
Impact: Denial of service via network, Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 4.1
|
Description: A vulnerability was reported in Monit. A remote user can cause the system to crash or can gain root access on the target system.
S-Quadra reported that a remote user can supply a specially crafted HTTP request to the target server to trigger a stack overflow
and execute arbitrary code, potentially with root privileges.
It is also reported that a remote user can suppy a negative value
in a Content-Length header field to cause an xmalloc() call to fail, crashing the Monit daemon.
The vendor was reportedly notified
on 21 November 2003.
|
Impact: A remote user can cause the daemon to crash.
A remote user can execute arbitrary code with root privileges on the target system.
|
Solution: The vendor has released a fixed version (4.1.1), available at:
http://www.tildeslash.com/monit/dist/monit-4.1.1.tar.gz
|
Vendor URL: www.tildeslash.com/monit/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: S-Quadra Security Research <e.legerov@s-quadra.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 24 Nov 2003 16:20:19 +0300
From: S-Quadra Security Research <e.legerov@s-quadra.com>
Subject: [Full-Disclosure] Monit 4.1 HTTP interface multiple security vulnerabilities
|
S-Quadra Advisory #2003-11-24
Topic: Monit 4.1 HTTP interface Multiple Security Vulnerabilities
Severity: High
Vendor URL: http://www.tildeslash.com/monit/
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031124.txt
Release date: 22 Nov 2003
1. DESCRIPTION
Monit (http://www.tildeslash.com/monit/) is a utility for managing and
monitoring, processes, files, directories and devices on a Unix system.
It conducts automatic maintenance and repair and can execute meaningful
causal actions in error situations.
Monit provides a HTTP(S) interface and you can use a browser to access
the monit server.
There exists several security vulnerabilites in Monit HTTP interface,
which could allow an attacker
in the worst case to gain root access to the system.
2. DETAILS
-- Vulnerability 1: Long http method stack overflow
By supplying an overly large http request method and attacker could
trigger a stack overflow condition which may lead to a remote root
compromise.
Below is a successfull run of 'xonya' Monit <= 4.1 remote root exploit
(PoC):
$./xonya -t 3 -p 2812 192.168.3.12
Selected platform 3 ...
Retaddr is 0xXXXXXXXX, nulladdr is 0xXXXXXXXX ...
Connected to 192.168.3.12:2812
Sending the request ...
Got a remote shell:
Linux 2.4.20 i686 unknown
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
exit
-- Vulnerability 2: Denial of Service via negative Content-Length field
By supplying a negative value in Content-Length header an attacker could
cause a xmalloc() failure and kill a Monit daemon.
Below is a successfull run of 'donit' Monit <= 4.1 remote Denial of
Service exploit (PoC):
$./donit -p 2812 192.168.3.12
Connecting to 192.168.3.12:2812 ...
Sending the request ...
Done.
$ nc -v 192.168.3.12 2812
lina.s-quadra.com [192.168.3.12] 2812 (?) : Connection refused
3. FIX INFORMATION
S-Quadra alerted Monit development team to this issue on 21th November 2003.
New version of Monit 4.1.1 is available at
http://www.tildeslash.com/monit/dist/monit-4.1.1.tar.gz which fixes the
reported security vulnerabilities.
4. CREDITS
Evgeny Legerov <e.legerov@s-quadra.com> is responsible for discovering
this issue.
5. ABOUT
S-Quadra offers services in computer security, penetration testing and
network assesment,
web application security, source code review and third party product
vulnerability assesment,
forensic support and reverse engineering.
Security is an art and our goal is to bring responsible and high quality
security
service to the IT market, customized to meet the unique needs of each
individual client.
S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services
we bring to our clients.
S-Quadra Advisory #2003-11-24
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
