Lucene search

K
saintSAINT CorporationSAINT:6B243627D8314E3E8D9454E59470E5F2
HistoryDec 12, 2011 - 12:00 a.m.

VanDyke AbsoluteFTP FTP Client LIST Overflow

2011-12-1200:00:00
SAINT Corporation
www.saintcorporation.com
16
vandyke absoluteftp
ftp client
buffer overflow
vulnerability
file parsing
directory listing
discontinued support
windows

Added: 12/12/2011
BID: 50614
OSVDB: 77105

Background

VanDyke AbsoluteFTP is a popular free FTP client. AbsoluteFTP was replaced by SecureFX in 1998, and support for AbsoluteFTP ended in 2007.

Problem

The AbsoluteFTP client contains a buffer overflow vulnerability when parsing file and directory listing replies from the server. The client tries to copy the file name to a fixed-length stack buffer without performing adequate validation.

Resolution

The vendor has discontinued support for AbsoluteFTP. Further usage of this product is not recommended.

References

<http://www.vandyke.com/products/absoluteftp/index.html&gt;
<http://secunia.com/advisories/46781/&gt;

Limitations

This exploit has been tested against VanDyke AbsoluteFTP 2.2.10 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).

Platforms

Windows