cbcvebase.
CVE-1999-0256
published 1998-02-01

CVE-1999-0256: Buffer overflow in War FTP allows remote execution of commands.

PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.42%
99.4th percentile
Buffer overflow in War FTP allows remote execution of commands.

Affected

2 ranges
VendorProductVersion rangeFixed in
jgaawarftpd<= 1.66
war_ftp_daemonwar_ftp_daemon<= 1.65

Detection & IOCsextracted from sources · hover to see the quote

commandUSER <overflow buffer>
commandPASS <overflow buffer>
otherReturn address 0x750231e2 (ws2help.dll) — USER overflow, Windows 2000 SP0-SP4 English
otherReturn address 0x71ab1d54 (push esp, ret) — USER overflow, Windows XP SP0-SP1 English
otherReturn address 0x71ab9372 (push esp, ret) — USER overflow, Windows XP SP2 English
otherReturn address 0x71ab2b53 (push esp, ret) — USER overflow, Windows XP SP3 English
otherReturn address 0x5f4e772b (jmp ebx in MFC42.DLL) — PASS overflow, Windows 2000
port21 (FTP — War-FTPD 1.65)
bytes
\xeb\x06 at offset 558 in PASS buffer
  • Detect oversized FTP USER command: a USER argument exceeding ~485 bytes (NOP sled + payload) is characteristic of this exploit. Flag FTP sessions where USER argument length >= 485 bytes.
  • Detect oversized FTP PASS command: a PASS argument exceeding ~558 bytes with a short-jump sequence (\xeb\x06) at offset 558 is characteristic of the PASS overflow exploit.
  • Bad characters \x00\x0a\x0d\x40 are avoided in the payload; presence of large FTP USER/PASS arguments lacking these bytes but containing NOP sleds is a strong exploit indicator.
  • The PASS overflow exploit requires anonymous login to be enabled. Correlate anonymous FTP login attempts followed immediately by an oversized PASS argument as a high-confidence attack pattern.
  • A failed exploit attempt crashes the War-FTPD service entirely. Sudden War-FTPD service termination following an oversized USER or PASS command should be treated as a post-exploitation or failed-exploitation indicator.
  • ·The PASS overflow module only works reliably against Windows 2000 targets; attempting it against other OS versions is likely to crash the service without achieving code execution.
  • ·The PASS overflow exploit requires anonymous FTP logins to be enabled on the target War-FTPD 1.65 server; if anonymous logins are disabled the exploit cannot proceed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.