Freefloat FTPD Invalid Command Overflow

2011-09-26T00:00:00
ID SAINT:AC8C5B4E92DC0792D08BB161D09B91D3
Type saint
Reporter SAINT Corporation
Modified 2011-09-26T00:00:00

Description

Added: 09/26/2011
BID: 48704

Background

Freefloat is a software series developed directly for handheld terminals. Freefloat FTP Server is a free FTP server for various versions of Windows including Windows CE/Pocket PC.

Problem

Freefloat FTP Server is vulnerable to a stack overflow as a result of sending overly long replies. The vulnerability can be triggered by the attacker by sending the FTP server an overly long unknown command.

Resolution

No update is available at this time. Use a firewall to restrict access to trusted computers, install an update from the vendor when one becomes available, or choose another FTP server.

References

<http://secunia.com/advisories/42465>

Limitations

This exploit has been tested against FreeFloat FTP Server 1.0 on Windows Server 2003 SP2 English (DEP OptOut) with KB956802 and KB2393802.

Platforms

Windows