CVE-2012-10055
published 2025-08-13CVE-2012-10055: ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username…
PriorityP269critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.99%
78.2th percentile
ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect execution flow and bypass DEP protections using a ROP chain, ultimately leading to arbitrary code execution. The vulnerability is exploitable without authentication and affects default configurations.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| comsndftp | ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on FTP USER commands containing format string specifiers (e.g., %n, %x, %s, %p) — these are the crafted payloads used to trigger the write-4 vulnerability. ↗
- →Monitor for unauthenticated FTP USER command attempts that trigger abnormal process behavior or crashes in ComSndFTP — exploitation requires no authentication. ↗
- →Watch for memory writes targeting the WSACleanup function pointer in Ws2_32.dll from within the ComSndFTP process — this is the specific overwrite target used to redirect execution flow. ↗
- →Detect ROP chain activity (DEP bypass) originating from the ComSndFTP server process following receipt of a malformed USER command. ↗
- →The SEH (Structured Exception Handler) exit path is the preferred exploitation route; monitor for SEH chain manipulation within the ComSndFTP process. ↗
- →When Meterpreter payload is used, the ComSndFTP process will remain alive post-exploitation — a persistent, long-lived ComSndFTP process with active network sessions after a suspicious USER command is a strong indicator of compromise. ↗
- ·The vulnerability affects only ComSndFTP version 1.3.7 Beta specifically; other versions are not confirmed vulnerable. ↗
- ·The exploit targets a hardcoded function pointer address for WSACleanup in Ws2_32.dll; the address may vary across different Windows versions/patch levels, affecting reliability of detection signatures based on static addresses. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rbhttps://web.archive.org/web/20120317214524/http://ftp.comsnd.com/https://www.exploit-db.com/exploits/19024https://www.exploit-db.com/exploits/19177https://www.vulncheck.com/advisories/comsndftp-user-format-string-rcehttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rbhttps://www.exploit-db.com/exploits/19024https://www.exploit-db.com/exploits/19177
2025-08-13
Published