cbcvebase.
CVE-2008-3734
published 2008-08-20

CVE-2008-3734: Format string vulnerability in Ipswitch WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 allows remote FTP servers to cause a denial of service…

PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
13.95%
96.1th percentile
Format string vulnerability in Ipswitch WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 allows remote FTP servers to cause a denial of service (application crash) or possibly execute arbitrary code via format string specifiers in a connection greeting (response).

Affected

2 ranges
VendorProductVersion rangeFixed in
ipswitchws_ftp_home
ipswitchws_ftp_pro

Detection & IOCsextracted from sources · hover to see the quote

bytes
\x41\x41\x41\x41\x41\x41\x41\x41%x%x%x%x%x%x%x%s
  • A rogue FTP server sends a malicious format string payload in the FTP connection greeting (220 response banner). Detect FTP servers returning banners containing format string specifiers such as %x, %s, %n to connecting WS_FTP clients.
  • The PoC payload combines 8 bytes of 0x41 ('AAAA AAAA') followed by chained %x/%s format specifiers in the FTP banner. Monitor FTP server greeting traffic for banners containing sequences of %x, %s, or other printf-style format specifiers.
  • A secondary buffer overflow vector exists in WS_FTP Home: sending an FTP server message response of approximately 4100 characters triggers a crash. Detect abnormally long FTP banner/greeting responses exceeding 4100 bytes.
  • Exploitation results in EAX and ECX being overwritten with attacker-controlled values (0x41414141). Crash analysis of WS_FTP processes showing EAX=41414141 / ECX=41414141 is a strong indicator of exploitation.
  • ·The PoC is a fake/rogue FTP server — exploitation requires the victim WS_FTP client to connect to an attacker-controlled server. The vulnerability is client-side and triggered only upon establishing an FTP connection.
  • ·Affected versions are WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 on Windows. Detection rules should be scoped to these specific product versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.