Sami FTP Server LIST command buffer overflow

2013-04-01T00:00:00
ID SAINT:3DD6FF8BD319704D38D6B47C7AF24216
Type saint
Reporter SAINT Corporation
Modified 2013-04-01T00:00:00

Description

Added: 04/01/2013
BID: 58247
OSVDB: 90815

Background

Sami FTP Server is an FTP server for Windows.

Problem

Sami FTP Server is affected by a buffer overflow vulnerability. A remote attacker could exploit this vulnerability by sending a long, specially crafted LIST command to the server, resulting in command execution when a user views the Log tab.

Resolution

Sami FTP Server is no longer supported. Use a different FTP server.

References

<http://www.exploit-db.com/exploits/24557/>

Limitations

Exploit works on Sami FTP Server 2.0.1 on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2644615.

A user must view the Log tab in Sami FTP Server after running this exploit in order for the exploit to succeed. The exploit remains listening for a connectback in the background.

Platforms

Windows