Ricoh DC Software DL-10 FTP Server USER Remote Code Execution

2012-05-09T00:00:00
ID SAINT:118AA65337F9162311B18020837973B2
Type saint
Reporter SAINT Corporation
Modified 2012-05-09T00:00:00

Description

Added: 05/09/2012
BID: 52235
OSVDB: 79691

Background

Various cameras (e.g. CX1-6, G700, G700SE) provided by Ricoh support transfering images to a PC over FTP. Ricoh supplies a small FTP server called SR-10 / Capftpd which enables users to transfer images from camera to computer.

Problem

The flaw is caused due to a boundary error in the SR10 FTP server when logging FTP commands. This can be exploited to cause a stack-based buffer overflow via long username sent to TCP port 21 but requires the "Log file name" option to be enabled (disabled by default).

Resolution

No updates which address this vulnerability are available at this time. Until an update is available, discontinue use of this software or limit access to the vulnerable service.

References

<http://secunia.com/advisories/47912/>
<http://security.inshell.net/advisory/5>

Limitations

This exploit has been tested against Ricoh SR10 FTP server 4.5.0.1 (SR10.exe 1.1.0.6) on Windows XP SP3 English (DEP OptIn).

Platforms

Windows