Vermillion FTP Daemon Memory Corruption Vulnerability via Malformed PORT Command

A memory corruption vulnerability has been identified in Arcane Software's Vermillion FTP Daemon (vftpd) versions through 1.31. The issue is triggered by a malformed FTP PORT command, leading to an out-of-bounds array access during input parsing. This flaw allows an attacker to manipulate stack memory, with the potential to execute arbitrary code. Exploitation requires direct access to the FTP service and is limited to a single attempt if the daemon is installed as a Windows service.

Impact

Exploitation of this vulnerability can result in a buffer overflow, allowing for arbitrary code execution within the context of the FTP service.

Reproduction

The vulnerability can be reproduced by sending a crafted FTP PORT command that exploits the out-of-bounds array access. This can be done manually or using the available Metasploit module. The Metasploit module automates the exploitation process by first sending the payload to the USER and PASS commands, and then delivering the exploit via the PORT command.