EasyFTP Server Stack-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in EasyFTP Server versions through 1.7.0.11. The issue arises in the FTP command parser, specifically when the CWD (Change Working Directory) command is processed. The server does not properly validate the length of the input string, which allows attackers to overwrite memory on the stack. This vulnerability enables remote code execution without authentication, as EasyFTP allows anonymous access by default. The flaw was addressed in version 1.7.0.12, after which the product was renamed 'UplusFtp'.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server.

Reproduction

The vulnerability can be reproduced by sending a crafted CWD command that includes a payload designed to exploit the buffer overflow. This can be done using a FTP client or programmatically via a script that connects to the FTP server, logs in as an anonymous user, and sends the malicious CWD command with the overflow payload. The Metasploit Framework includes a module that automates this exploitation process.

Remediation

Users are advised to upgrade to EasyFTP Server version 1.7.0.12 or later.