Title: Jarle Aase War FTPD USER/PASS Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
War FTPD is an Internet FTP server by Jarle Aase.
War FTPD is reported prone to multiple buffer overflow vulnerabilities. The issues present themselves due to a lack of sufficient boundary checks performed on data that is passed to the server as values for the USER and PASS commands.
Data supplied as a value for either the USER or PASS commands that exceeds the size of a reserved buffer in War FTPD process memory will overrun the bounds of said buffer. This will result in corruption of adjacent memory. Because this memory region contains saved variables that are crucial for controlling execution flow for the process, the attacker may ultimately influence execution flow into attacker-controlled memory.
A remote attacker may potentially exploit these issues pre-authentication to have arbitrary code executed in the context of the affected FTP server.
Affected Products:
- Jarle Aase War FTPD 1.65.0
References:
- CORE Security: WarFTPd USER-PASS Overflow exploit
- CVE: Buffer overflow in War FTP allows remote execution of commands.
- Jarle Aase: War FTPD Product Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
