cbcvebase.
CVE-2004-0695
published 2004-07-27

CVE-2004-0695: Stack-based buffer overflow in the FTP service for 4D WebSTAR 5.3.2 and earlier allows remote attackers to execute arbitrary code via a long FTP command.

PriorityP348high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
38.19%
98.4th percentile
Stack-based buffer overflow in the FTP service for 4D WebSTAR 5.3.2 and earlier allows remote attackers to execute arbitrary code via a long FTP command.

Affected

9 ranges
VendorProductVersion rangeFixed in
4dwebstar
4dwebstar
4dwebstar
4dwebstar
4dwebstar
4dwebstar
4dwebstar
4dwebstar
4dwebstar

Detection & IOCsextracted from sources · hover to see the quote

commandUSER <oversized buffer>
bytes
ROP gadget address 0x9008dce0 (call $r28, jump r1+120) - PPC Mac OS X 10.3.4-10.3.6 System library
bytes
Bad chars in payload: 0x00 0x20 0x0a 0x0d
  • Detect oversized FTP USER command sent to WebSTAR FTP service; the exploit sends a USER argument of 285+ bytes (offset dependent on attacker hostname length) followed by ROP chain and shellcode.
  • The exploit sends a HELP command immediately after the malicious USER command as part of the attack sequence; alert on USER overflow followed by HELP on the same FTP session.
  • The overflow occurs in the FTP logging routine of WebSTAR FTP server 5.3.2 and earlier; monitor FTP USER commands exceeding normal length bounds on Mac OS X hosts running WebSTAR.
  • ROP chain uses four specific PPC addresses from the System library (0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590); presence of these big-endian 4-byte sequences within an FTP USER payload is a strong indicator of exploitation.
  • ·The ROP gadget addresses (0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590) are specific to Mac OS X 10.3.4–10.3.6 PPC System library; they will not apply to other OS versions or architectures.
  • ·Payload space is limited to 300 bytes and must avoid null bytes, spaces, newlines, and carriage returns; custom shellcode must respect these constraints.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.