CVE-2008-3734
published 2008-08-20CVE-2008-3734: Format string vulnerability in Ipswitch WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 allows remote FTP servers to cause a denial of service…
PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
13.95%
96.1th percentile
Format string vulnerability in Ipswitch WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 allows remote FTP servers to cause a denial of service (application crash) or possibly execute arbitrary code via format string specifiers in a connection greeting (response).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipswitch | ws_ftp_home | — | — |
| ipswitch | ws_ftp_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x41\x41\x41\x41\x41\x41\x41\x41%x%x%x%x%x%x%x%s
- →A rogue FTP server sends a malicious format string payload in the FTP connection greeting (220 response banner). Detect FTP servers returning banners containing format string specifiers such as %x, %s, %n to connecting WS_FTP clients. ↗
- →The PoC payload combines 8 bytes of 0x41 ('AAAA AAAA') followed by chained %x/%s format specifiers in the FTP banner. Monitor FTP server greeting traffic for banners containing sequences of %x, %s, or other printf-style format specifiers. ↗
- →A secondary buffer overflow vector exists in WS_FTP Home: sending an FTP server message response of approximately 4100 characters triggers a crash. Detect abnormally long FTP banner/greeting responses exceeding 4100 bytes. ↗
- →Exploitation results in EAX and ECX being overwritten with attacker-controlled values (0x41414141). Crash analysis of WS_FTP processes showing EAX=41414141 / ECX=41414141 is a strong indicator of exploitation. ↗
- ·The PoC is a fake/rogue FTP server — exploitation requires the victim WS_FTP client to connect to an attacker-controlled server. The vulnerability is client-side and triggered only upon establishing an FTP connection. ↗
- ·Affected versions are WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 on Windows. Detection rules should be scoped to these specific product versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/31504http://securityreason.com/securityalert/4173http://www.securityfocus.com/bid/30720http://www.securitytracker.com/id?1020713http://www.securitytracker.com/id?1020714https://exchange.xforce.ibmcloud.com/vulnerabilities/44512https://www.exploit-db.com/exploits/6257http://secunia.com/advisories/31504http://securityreason.com/securityalert/4173http://www.securityfocus.com/bid/30720http://www.securitytracker.com/id?1020713http://www.securitytracker.com/id?1020714https://exchange.xforce.ibmcloud.com/vulnerabilities/44512https://www.exploit-db.com/exploits/6257
2008-08-20
Published