Multiple Vulnerabilities in Monit I. Product Description As quoted from http://www.tildeslash.com/monit/ web page: "monit is a utility for managing and monitoring, processes, files, directories and devices on a Unix system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations. E.g. monit can start a process if it does not run, restart a process if it does not respond and stop a process if it uses to much resources. You may use monit to monitor files, directories and devices for changes, such as timestamp changes, checksum changes or size changes. You can also use monit to monitor remote hosts; monit can ping a remote host and can check port connections and protocols." II. Affected Systems Stable: Monit 4.2 and prior Beta: Monit 4.3 Beta 2 and prior III. Vulnerability Description Three vulnerabilities were found in Monit during a simple code review. All of the vulnerabilities are in Monit's HTTP/HTTPS administration interfaces, and as such can only be exploited if the interface is enabled and accessible. Two of the vulnerabilities lie in the Basic authentication code, while one vulnerability lies in the processing of POST requests. * Basic Authentication Out-of-Bounds Read (Denial of Service) When faced with a Basic authentication request without a password, Monit will decrement a pointer returned by a strchr() call without appropriate NULL pointer checking. The error results in a segmentation fault during a strcpy() call. This request can be generated with a simple web browser. This vulnerability does not allow users to gain privileges on the server. For instance. Specifically, if the base64-decoded credentials string does not contain a colon, the vulnerability can be exploited. * Basic Authentication Buffer Overflow (Remote Root) When faced with a Basic authentication request with an overly-long user name (> 256 characters), vulnerable versions of Monit will overrun a stack-based buffer. This potentially allows a remote attacker to gain root privileges. * POST Input Off-By-One (Exploitability Varies) When faced with a POST submission that is exactly 1,024 bytes, Monit suffers from an off-by-one overflow. Exploitability depends upon the version of gcc used to compile the application. Some compilers will allow this overflow to modify the frame pointer, potentially controlling stack frames. * UPDATE: Integer Overflow in POST Input Handler (Initially discovered by S-Quadra) S-Quadra discovered that a large HTTP POST would cause an xmalloc() call within the WBA to fail. This issue was fixed in 4.2.1 as a denial of service. In fact, this code also contained an exploitable integer overflow. By specifying a Content-Length header of -1, a zero-byte heap allocation is performed. An attacker can then input an arbitrary amount of data, overwriting significant portions of the heap. My research suggests that this issue could also be exploited. IV. Impact A remote attacker with access to Monit's WBA via HTTP or HTTPS clients could potentially gain the privileges of the root user. V. Vendor Response April 3, 2004: * First two vulnerabilities discovered * Monit team notified via e-mail (monitgroup@tildeslash.com) April 4, 2004: * Response from Jan Henrik-Haukeland (hauk@tildeslash.com) * Patch for first two reports committed to CVS * Third vulnerability discovered * Monit team notified via e-mail (monitgroup@tildeslash.com) April 5, 2004: * Response from Jan Henrik-Haukeland (hauk@tildeslash.com) * Patch for third issue committed to CVS * Monit team releases security advisory * Monit 4.2.1 released * Monit 4.3 Beta 3 released * Public disclosure The Monit team deserves praise on a very speedy response to this vulnerability. Particularly noteworthy is that the vendor was notified shortly before midnight on April 4, 2004. The patch for each of these issues was committed to CVS within 18 hours of the initial report. Thanks to Jan Henrik-Haukeland for a fast response to this issue. VI. Workaround For those who cannot immediately upgrade packages, it is recommended that the Monit HTTP interface be disabled. If access to this interface is necessary, limit it to the Local Area Network with appropriate firewalling. Upgrading as listed in "Solution" below is recommended if possible. For those users of Monit who have deployed vendor-provided packages, you should wait for updated vendor binaries. VII. Solution * Monit 4.2 Stable: The vendor has released Monit 4.2.1, which contains these fixes. It can be downloaded at: http://www.tildeslash.com/monit/dist/monit-4.2.1.tar.gz MD5 Checksum: http://www.tildeslash.com/monit/dist/monit-4.2.1.tar.gz.md5 * Monit 4.3 Beta: The vendor has released Monit 4.3 Beta 3, which contains these fixes. It can be downloaded at: http://www.tildeslash.com/monit/beta/monit-4.3-beta3.tar.gz MD5 Checksum: http://www.tildeslash.com/monit/beta/monit-4.3-beta3.tar.gz.md5 The vendor has released a security advisory documenting these vulnerabilities: http://www.tildeslash.com/monit/secadv_20040305.txt -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
