Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 87916 - www-servers/monkeyd local DoS+format string bug
Summary: www-servers/monkeyd local DoS+format string bug
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa] jaervosz
Keywords:
: 87917 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-04-04 08:26 UTC by rob holland (RETIRED)
Modified: 2005-04-15 10:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description rob holland (RETIRED) gentoo-dev 2005-04-04 08:26:23 UTC
Putting a zero byte file in htdocs somewhere and then requesting it repeatedly will cause monkeyd to corrupt memory/blow up depending on MALLOC_CHECK_

Dodgy code is:

void M_free(void *ptr)
{
    if(ptr!=NULL){
        memset(ptr, '\0', sizeof(ptr));
        free(ptr);
        ptr=NULL;
    }
}

The memset doesn't do what was intended. This isn't normally visible but the 0 byte file causes monkeyd to malloc(0) which means there is no data allocated to "absorb" the broken memset call. The ptr=NULL thing is also just plain weird :)

Problem was spotted by ciaranm and investigated by me.

The code is pretty scary, taviso is checking it over some more atm so hold fire on any glsa etc ;)
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-04-04 08:33:25 UTC
*** Bug 87917 has been marked as a duplicate of this bug. ***
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-11 23:49:26 UTC
Is upstream informed yet?
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-12 02:26:11 UTC
there's a remotely exploitable double expansion in m_build_buffer_from_buffer()

example crash to get a bt:

printf "GET %%00 HTTP/1.1\nHost: %%500n%%500n\n\n" | nc localhost 2001

It looks like a nice project, but my confidence in the security of the code is low, perhaps we should consider masking it until it matures.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-12 02:37:53 UTC
there are alternatives available (i've used thttpd in the past), and there are numerous mistakes like the one ciaran spotted.

I think we should mask for now.
Comment 5 rob holland (RETIRED) gentoo-dev 2005-04-12 03:23:01 UTC
I will inform upstream (having discussed it with taviso).
Comment 6 rob holland (RETIRED) gentoo-dev 2005-04-12 04:11:55 UTC
upstream emailed, cc'd security@
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-12 04:16:03 UTC
Vapier it seems like your baby, please advise.
Comment 8 SpanKY gentoo-dev 2005-04-12 05:42:13 UTC
i dont mind masking it until upstream has had a chance to reply
Comment 9 rob holland (RETIRED) gentoo-dev 2005-04-13 08:03:39 UTC
upstream fixed the first issue and have been sent a patch for the second.
Comment 10 Aaron Walker (RETIRED) gentoo-dev 2005-04-14 05:05:17 UTC
0.9.1 in CVS, stable on x86.  CC'd archs please mark stable.
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-14 11:50:56 UTC
Stable on ppc.
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-15 06:05:23 UTC
sparc stable.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-15 10:28:59 UTC
GLSA 200504-14