cbcvebase.
CVE-2003-0772
published 2003-09-22

CVE-2003-0772: Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE…

PriorityP344high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.07%
99.4th percentile
Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE (append) or (2) STAT (status) arguments.

Affected

2 ranges
VendorProductVersion rangeFixed in
ipswitchws_ftp_server
progressws_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

commandAPPE
port1981
other0x77E14C29 (win2k sp4 user32.dll JMP ESP)
  • Detect oversized STAT or APPE FTP command arguments from authenticated users; a buffer overflow is triggered by supplying excessive input to these commands against WS_FTP Server 3.x/4.x.
  • After successful exploitation, the shellcode opens a bind shell on TCP port 1981 on the victim host; monitor for unexpected inbound connections to port 1981 on FTP servers.
  • The exploit targets the JMP ESP gadget at 0x77E14C29 in user32.dll on Windows 2000 SP4; presence of this return address in FTP traffic is a strong exploit indicator.
  • Exploitation requires an authenticated FTP account; monitor for authenticated FTP sessions issuing abnormally long STAT or APPE commands (overflow point is at offset 0x118+4 bytes).
  • ·Exploitation requires a valid authenticated FTP account on the target WS_FTP Server; unauthenticated attackers cannot trigger the overflow.
  • ·The public exploit was tested specifically against WS_FTP Server 4.0.1.EVAL on Windows 2000 Server EN; the JMP ESP address and shellcode offsets may differ on other patch levels or OS versions.
  • ·The exploit's default FTP port is 21 but is configurable via the -P flag; detections should not be limited to port 21 if WS_FTP is running on a non-standard port.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.