CVE-2003-0772
published 2003-09-22CVE-2003-0772: Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE…
PriorityP344high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.07%
99.4th percentile
Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE (append) or (2) STAT (status) arguments.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipswitch | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized STAT or APPE FTP command arguments from authenticated users; a buffer overflow is triggered by supplying excessive input to these commands against WS_FTP Server 3.x/4.x. ↗
- →After successful exploitation, the shellcode opens a bind shell on TCP port 1981 on the victim host; monitor for unexpected inbound connections to port 1981 on FTP servers. ↗
- →The exploit targets the JMP ESP gadget at 0x77E14C29 in user32.dll on Windows 2000 SP4; presence of this return address in FTP traffic is a strong exploit indicator. ↗
- →Exploitation requires an authenticated FTP account; monitor for authenticated FTP sessions issuing abnormally long STAT or APPE commands (overflow point is at offset 0x118+4 bytes). ↗
- ·Exploitation requires a valid authenticated FTP account on the target WS_FTP Server; unauthenticated attackers cannot trigger the overflow. ↗
- ·The public exploit was tested specifically against WS_FTP Server 4.0.1.EVAL on Windows 2000 Server EN; the JMP ESP address and shellcode offsets may differ on other patch levels or OS versions. ↗
- ·The exploit's default FTP port is 21 but is configurable via the -P flag; detections should not be limited to port 21 if WS_FTP is running on a non-standard port. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=106288825902868&w=2http://secunia.com/advisories/9671http://www.kb.cert.org/vuls/id/219140http://www.kb.cert.org/vuls/id/792284http://www.securityfocus.com/bid/8542https://exchange.xforce.ibmcloud.com/vulnerabilities/13119http://marc.info/?l=bugtraq&m=106288825902868&w=2http://secunia.com/advisories/9671http://www.kb.cert.org/vuls/id/219140http://www.kb.cert.org/vuls/id/792284http://www.securityfocus.com/bid/8542https://exchange.xforce.ibmcloud.com/vulnerabilities/13119
2003-09-22
Published