CVE-2016-5764
published 2016-10-27CVE-2016-5764: Micro Focus Rumba FTP 4.X client buffer overflow makes it possible to corrupt the stack and allow arbitrary code execution. Fixed in: Rumba FTP 4.5 (HF 14668)…
PriorityP261high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
7.76%
93.9th percentile
Micro Focus Rumba FTP 4.X client buffer overflow makes it possible to corrupt the stack and allow arbitrary code execution. Fixed in: Rumba FTP 4.5 (HF 14668). This can only occur if a client connects to a malicious server.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microfocus | rumba_ftp | — | — |
| microfocus | rumba_ftp | — | — |
| microfocus | rumba_ftp | — | — |
| microfocus | rumba_ftp | — | — |
| microfocus | rumba_ftp | — | — |
| microfocus | rumba_ftp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x45\x45\x45\x45\x44\x44\x44\x44
- →Detect oversized FTP PWD (257) responses: a 257 response with a directory name exceeding ~629 bytes is the trigger for the stack buffer overflow in Rumba FTP 4.x client. ↗
- →Monitor FTP clients connecting to port 21 on untrusted/external hosts; the exploit requires the Rumba FTP client to initiate a connection to a malicious server — lateral movement or phishing scenarios may precede exploitation. ↗
- →Detect SEH-based stack overflow pattern: look for FTP 257 responses containing the byte sequence 0x45454545 (EEEE) followed by 0x44444444 (DDDD) within the quoted directory name field, indicative of SEH/NSEH overwrite. ↗
- →Flag Rumba FTP client processes (version 4.x, pre-HF 14668) making outbound FTP connections; process-level monitoring for the Rumba FTP client binary connecting to external IPs on port 21 should trigger investigation. ↗
- ·The exploit is client-side only — the vulnerable Rumba FTP client must actively connect to the attacker-controlled server; the server itself is not directly exploitable. ↗
- ·The PoC was tested only on Windows 7; exploit reliability on other Windows versions may vary due to differing ASLR/SafeSEH module layouts. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28731.rumba-ftp-4-x-security-update.aspxhttp://www.securityfocus.com/bid/93974https://www.exploit-db.com/exploits/40651/http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28731.rumba-ftp-4-x-security-update.aspxhttp://www.securityfocus.com/bid/93974https://www.exploit-db.com/exploits/40651/
2016-10-27
Published