cbcvebase.
CVE-2006-6576
published 2006-12-15

CVE-2006-6576: Heap-based buffer overflow in Golden FTP Server (goldenftpd) 1.92 allows remote attackers to cause a denial of service (application crash) and possibly execute…

PriorityP354high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.81%
99.2th percentile
Heap-based buffer overflow in Golden FTP Server (goldenftpd) 1.92 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long PASS command. NOTE: it was later reported that 4.70 is also affected. NOTE: the USER vector is already covered by CVE-2005-0634.

Affected

1 ranges
VendorProductVersion rangeFixed in
goldenftpservergolden_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

commandPASS <long buffer>
port4444
bytes
\x2b\xc9\xb1\x56\xba\x96\x70\x11\x9e\xdb\xd0\xd9\x74\x24\xf4\x58
bytes
\xba\x1e\xb6\xaa\x95\xda\xc3\xd9\x74\x24\xf4\x5d\x29\xc9\xb1\x52
bytes
\xfd\xb8\x43\x42\x41\x40\x89\xF7\x47\x90\x83\xC7\x03\xaf\x75\xfa
  • Detect exploitation attempts by monitoring FTP PASS commands with anomalously long arguments (>524 bytes) sent to Golden FTP Server on port 21.
  • The exploit requires the 'Show new connections' option to be enabled on the Golden FTP Server; this setting is off by default. Verify server configuration and alert if enabled on exposed instances.
  • Fingerprint vulnerable Golden FTP Server instances by matching the FTP banner regex pattern for version 4.70.
  • The exploit sends 'USER anonymous' followed immediately by an oversized 'PASS' payload; alert on anonymous FTP login attempts where the PASS argument exceeds normal length bounds.
  • The egg hunter uses the 4-byte egg value 0x40414243 ('ABC@'); scan memory or network traffic for this egg tag as an indicator of egg-hunter shellcode delivery.
  • Post-exploitation bind shell listens on port 4444; monitor for unexpected outbound or inbound connections to port 4444 from the FTP server host.
  • Bad characters for payload encoding are null byte, newline, and carriage return; payloads in PASS commands lacking these bytes but containing encoded shellcode are suspicious.
  • ·The buffer overflow is only triggerable when the 'Show new connections' option is enabled in Golden FTP Server settings; this option is disabled by default, significantly limiting the attack surface.
  • ·The exact overflow offset varies depending on the source IP subnet of the attacker, ranging from 524 to 533 bytes; detection rules based on fixed buffer lengths may miss some variants.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.