Netwosix Linux Security Advisory #2004-0008 <http://www.netwosix.org>
Package name: monit
Summary: Multiple security problems in monit
Date: 2004-04-06
Affected versions: Netwosix 1.0 Netwosix 1.1
Package description:
monit is a utility for managing and monitoring, processes, files,
directories and devices on a Unix system. Monit conducts automatic
maintenance and repair and can execute meaningful causal actions in
error situations. E.g. monit can start a process if it does not
run, restart a process if it does not respond and stop a process if
it uses to much resources. You may use monit to monitor files,
directories and devices for changes, such as timestamp changes,
checksum changes or size changes. You can also use monit to monitor
remote hosts; monit can ping a remote host and can check port
connections and protocols.
Problem description:
- Monit HTTP Interface Buffer Overflow Vulnerability
Monit implements a simple HTTP interface that supports Basic
authentication. This interface suffers from a buffer overflow
vulnerability when handling a client that authenticates with
malformed credentials. An attacker could send a carefully crafted
Authorization header to the monit server and cause the server to
either crash or worse to execute arbitrary code with the privileges
of the monit user. - Off-By-One Overflow in Monit HTTP Interface
This buffer overflow lies in the handling of POST submissions
with entity bodies. If the request body has the exact length of X
bytes, monit will write one byte past its designated input buffer.
This error can cause the monit server to crash.
Action:
We recommend that all systems with this package installed be
upgraded. Please note that if you do not need the functionality
provided by this package, you may want to remove it from your
system.
Location:
You can download the latest version of this package in NEPOTE
format from: <http://download.netwosix.org/0008/nepote>
Nepote Update
(Nepote has been updated with new ports on 21 March 2004. Update
your portage tree from http://nepote.netwosix.org,
first):
See this instructions to update the port of this package:
# cd /usr/ports/sysutils/monit
# rm nepote
# wget http://download.netwosix.org/0008/nepote
# sh nepote (to install the new and updated package)
References
Specific references for this advisory:
http://www.tildeslash.com/monit/secadv_20040305.txt
About Linux Netwosix:
Linux Netwosix is a powerful and optimized Linux distribution for
servers and Network Security related jobs. It can also be used for
special operations such as penetration testing with its big
collection of security oriented software and sources. It’s a light
distribution created for the requirements of every SysAdmin and
it’s very portable and highly configurable. Our philosophy is to
give greater liberty for configuration to the SysAdmin. Only in
this way can he/she configure a powerful and stable server machine.
Linux Netwosix also has a powerful ports system (Nepote) similar to
the xBSD systems but more flexible and usable.
Questions?
Check out our mailing lists:
<http://www.netwosix.org/mailing.html>
The advisory itself is available at
<http://www.netwosix.org/adv08.html>
MD5sums of the packages:
68e85a51998a53459a09d2aa0d5f905d 0008/nepote
Vincenzo Ciaglia – Linux Netwosix Security Advisories
<ciaglia@netwosix.org> –
<http://www.netwosix.org>