EasyFTP Server Stack-Based Buffer Overflow Vulnerability in HTTP Interface

A stack-based buffer overflow vulnerability has been identified in EasyFTP Server versions through 1.7.0.11. The issue arises in the HTTP interface when the server processes GET requests to list.html. The server fails to properly validate the length of the path parameter, allowing an attacker to supply an excessively long value that overflows a buffer on the stack. This overflow can potentially corrupt control flow structures. The vulnerability is exposed through the embedded web server, which allows default anonymous access, eliminating the need for authentication. This issue was resolved in version 1.7.0.12, after which the product was renamed to UplusFtp.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for control of the execution flow. This type of vulnerability is commonly exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending an HTTP GET request to the 'list.html' endpoint with a crafted 'path' parameter that exceeds the buffer length. This can be done using a tool like Metasploit, which has a module available for this specific vulnerability. The EasyFTP server must be running on the target machine, and the request can be sent over port 8080.

Remediation

Users are advised to update to EasyFTP Server version 1.7.0.12 or later, where this vulnerability has been fixed.