Xlight FTP Server SEH Overwrite Vulnerability Allowing Buffer Overflow and Potential Code Execution

A buffer overflow vulnerability has been identified in Xlight FTP Server version 3.9.1. This vulnerability allows local attackers to crash the application and overwrite the structured exception handler (SEH) pointers by sending a crafted buffer string. The exploitation involves injecting a 428-byte payload through the program execution field in the virtual server configuration, which triggers the buffer overflow, corrupts the SEH chain, and could lead to arbitrary code execution.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the application and overwriting the SEH chain, which could be leveraged for arbitrary code execution.

Reproduction

To reproduce this vulnerability, first generate a buffer overflow payload by writing 428 bytes of 'A' characters into a text file. Then, open the Xlight FTP Server application and navigate to the virtual server configuration. In the 'Advanced' section, find the 'Execute a program after user logged in' option and paste the contents of the overflow.txt file, which contains the crafted payload. Once the payload is executed, the application will crash, indicating that the SEH overwrite has occurred.