CuteFTP LIST Command Remote Overflow

2003-01-18T07:47:03
ID OSVDB:2181
Type osvdb
Reporter OSVDB
Modified 2003-01-18T07:47:03

Description

Vulnerability Description

GlobalSCAPE CuteFTP versions up to 5.0.2 contain a flaw that allows a remote buffer overflow. The FTP client fails to check the size of the response from the LIST command before placing it into the buffer, resulting in a stack overflow. This could allow arbitrary code to be executed on the remote victims machine.

Technical Description

When a FTP Server is responding to a "LIST" (directory listing) command, the response is sent over a data connection. For Build 50.6.10.2 sending 257 bytes over this connection will cause a buffer to overflow, and the EIP register can be overwritten completely by sending 260 bytes of data. In build 51.1.23.1 sending 780 bytes to the LIST command is required to overflow the stack.

Solution Description

The vendor has released version 5.0.2 of CuteFTP XP that is reported to fix the stack overflow vulnerability. Versions 5.0.1, 5.0 or earlier should be uninstalled and version 5.0.2 be installed.

Short Description

GlobalSCAPE CuteFTP versions up to 5.0.2 contain a flaw that allows a remote buffer overflow. The FTP client fails to check the size of the response from the LIST command before placing it into the buffer, resulting in a stack overflow. This could allow arbitrary code to be executed on the remote victims machine.

References:

Secunia Advisory ID:7898 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-01/0123.html Mail List Post: http://www.securityfocus.com/archive/1/325659 ISS X-Force ID: 11093 Generic Informational URL: http://www.globalscape.com/cuteftp/ Generic Exploit URL: http://packetstormsecurity.nl/0303-exploits/ftpd.pl CVE-2003-1260 Bugtraq ID: 6642