Advisory: Monkey HTTPd improper input validation vulnerability
Note: The original advisory can be found here.
|Affected products:||Monkey web server versions ≤ 0.9.2|
|Class:||Improper Input Validation (CWE-20), Incorrect Calculation (CWE-682)|
|Discovered by:||Patroklos Argyroudis|
We have discovered a remotely exploitable “improper input validation” vulnerability in the Monkey web server that allows an attacker to perform denial of service attacks by repeatedly crashing worker threads that process HTTP requests.
Monkey is a fast, efficient, small and easy to configure HTTP/1.1 compliant web server. It has been designed to be scalable with low memory and CPU consumption. More information about its features can be found here.
Monkey (up to and including version 0.9.2) employs an insufficient input
validation method for handling HTTP requests with invalid connection headers.
Specifically, the vulnerability is in the calculation for the end of the
request body buffer related to newline characters in function
Request_Find_Variable() in the file
With a specially crafted request body the
pos_init_var integer can take the
28 in decimal) and the
pos_end_var integer can take the value
26 in decimal). Then in the
m_copy_string() function, the
calculation for the unsigned integer
size in line 428 (file
leads to a signedness bug and
m_copy_string() returns NULL (line 438, file
Request_Find_Variable() to return NULL (line 344, file
src/request.c) and this to be used in the
strstr2() call at line 345 of
This vulnerability can allow an attacker to perform denial of service attacks by repeatedly crashing Monkey worker threads that process HTTP requests. We have developed a proof-of-concept exploit to demonstrate the vulnerability.
The maintainer of Monkey has been contacted and a new version of the web server (0.9.3) has been released that addresses this issue. All affected parties are advised to upgrade to the latest version available.