ComSndFTP FTP Server Format String Vulnerability Leading to Remote Code Execution

A format string vulnerability has been identified in ComSndFTP FTP Server version 1.3.7 Beta. The issue arises in the handling of the USER command, where a remote attacker can send a specially crafted username containing format specifiers. This manipulation allows the attacker to overwrite a function pointer in memory, specifically targeting WSACleanup from Ws2_32.dll. Exploiting this vulnerability bypasses Data Execution Prevention (DEP) protections using a Return-Oriented Programming (ROP) chain, ultimately leading to arbitrary code execution. The vulnerability is present in default configurations and does not require authentication.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server.

Reproduction

The vulnerability can be reproduced by sending a crafted USER command that includes format specifiers. This can be done using a simple TCP socket connection to the FTP server's port 21. After the server's banner is received, the crafted username is sent, which triggers the format string vulnerability by overwriting the WSACleanup function pointer. Once the pointer is overwritten, the ROP chain is executed, bypassing DEP and allowing arbitrary code execution.