Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Buffer Overflow DoS Vulnerability With Possible Arbitrary Code Execution (Trac #182) #88

Closed
edsiper opened this issue Jan 28, 2014 · 8 comments

Comments

@edsiper
Copy link
Member

edsiper commented Jan 28, 2014

This one was hard to debug so I don't have much information in the way of stack traces, etc. but I do have a demo script and this will cause monkey to drop a core file which you can use for further analysis. However, it appears this has something to do with the handling of headers.

Below is the demo script. Just set the hostname and execute.

http://pastebin.com/7b0ZKNtm

Migrated from http://bugs.monkey-project.com/ticket/182

{
    "status": "closed", 
    "changetime": "2013-06-07T06:13:50", 
    "description": "This one was hard to debug so I don't have much information in the way of stack traces, etc. but I do have a demo script and this will cause monkey to drop a core file which you can use for further analysis. However, it appears this has something to do with the handling of headers.\n\nBelow is the demo script.  Just set the hostname and execute.\n\nhttp://pastebin.com/7b0ZKNtm", 
    "reporter": "dougsko", 
    "cc": "", 
    "resolution": "fixed", 
    "_ts": "1370585630421358", 
    "component": "Unspecified", 
    "summary": "Buffer Overflow DoS Vulnerability With Possible Arbitrary Code Execution", 
    "priority": "major", 
    "keywords": "", 
    "version": "", 
    "time": "2013-05-30T15:22:49", 
    "milestone": "", 
    "owner": "edsiper", 
    "type": "defect"
}
@edsiper
Copy link
Member Author

edsiper commented Jan 28, 2014

Trac update at 20130530T16:27:44: dougsko commented:

After more debugging, it looks like the problem is line 268 in mk_request.c. This is what everything looks like just before the crash:

Breakpoint 2, mk_request_header_process (sr=0xb5c04c58) at mk_request.c:268
268 memcpy(port, host.data + pos_sep + 1, port_len);
(gdb) info locals
p = 0xb7fec6c4 "\351W\377\377\377\215\264&"
port_len = -17
port_size = 6
port = 0xb6de1180 "Z<\300\265:"
uri_init = 4
uri_end = 4
query_init = -1
prot_init = 6
prot_end = 14
pos_sep = 15
fh_limit = 15
headers = 0xb5c03c54 "Host:\r\nlocalhost\r\nBad: ", 'A' <repeats 177 times>...
temp = 0x0
host = {data = 0xb5c03c5a "\nlocalhost\r\nBad: ", 'A' <repeats 183 times>...,
len = 4294967295}
(gdb)

I think there just needs to be some better validation right around line 261:

/* Port string length */
port_len = (host.len - pos_sep - 1);
if (port_len >= port_size) {
return -1;
}

@edsiper
Copy link
Member Author

edsiper commented Jan 28, 2014

Trac update at 20130605T18:17:24:

  • edsiper changed owner from "" to "edsiper"
  • edsiper changed status from "new" to "assigned"

@edsiper
Copy link
Member Author

edsiper commented Jan 28, 2014

Trac update at 20130605T18:23:57: edsiper commented:

I have pushed a fix for the real root cause of the problem into a testing branch:

http://git.monkey-project.com/?p=monkey;a=shortlog;h=refs/heads/fix_182

please test the fix and send me some feedback so i can release a new version of Monkey.

Patch info:


This patch fix the root cause for a problem described in Ticket #88,
actually if a header is malformed like a Header Key without a value, the
ToC parser used to continue processing the next header line.

The solution applied is to improve the ToC generator where it adds extra
validations for at least one colon and forcing each header line to contain
a value or empty space, otherwise the server will trigger a Bad Request
response to the client and close the connection.

@edsiper
Copy link
Member Author

edsiper commented Jan 28, 2014

Trac update at 20130605T20:13:47: dougsko commented:

Yep, your fix seemed to do the trick.

@edsiper
Copy link
Member Author

edsiper commented Jan 28, 2014

Trac update at 20130605T20:31:27:

  • dougsko changed _comment0 from:

Actually, maybe not. I can still segfault this branch with the following request:

echo 'GET / HTTP/1.1\r\nHost:\r\n\r\nlocalhost\r\nUser-Agent:foo\r\n\r\n' | netcat localhost 2001

to:

1370464314675223

  • dougsko commented:

Actually, maybe not. I can still segfault the fix_182 branch with the following request:

echo 'GET / HTTP/1.1\r\nHost:\r\n\r\nlocalhost\r\nUser-Agent:foo\r\n\r\n' | netcat localhost 2001

@edsiper
Copy link
Member Author

edsiper commented Jan 28, 2014

Trac update at 20130606T16:05:59: edsiper commented:

thanks for the report.

I have added and rework validations in the same branch:

http://git.monkey-project.com/?p=monkey;a=shortlog;h=refs/heads/fix_182

i will wait for your feedback, thanks.

@edsiper
Copy link
Member Author

edsiper commented Jan 28, 2014

Trac update at 20130606T17:07:03: dougsko commented:

Everything looks good to me.

@edsiper
Copy link
Member Author

edsiper commented Jan 28, 2014

Trac update at 20130607T06:13:50:

  • edsiper commented:

fixed in 1.2.1

  • edsiper changed resolution from "" to "fixed"
  • edsiper changed status from "assigned" to "closed"

@edsiper edsiper closed this as completed Jan 28, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant