Ricoh DC Software DL-10 FTP Server USER Remote Code Execution

Added: 05/09/2012
BID: 52235
OSVDB: 79691

Background

Various cameras (e.g. CX1-6, G700, G700SE) provided by Ricoh support transfering images to a PC over FTP. Ricoh supplies a small FTP server called SR-10 / Capftpd which enables users to transfer images from camera to computer.

Problem

The flaw is caused due to a boundary error in the SR10 FTP server when logging FTP commands. This can be exploited to cause a stack-based buffer overflow via long username sent to TCP port 21 but requires the "Log file name" option to be enabled (disabled by default).

Resolution

No updates which address this vulnerability are available at this time. Until an update is available, discontinue use of this software or limit access to the vulnerable service.

References

http://secunia.com/advisories/47912/
http://security.inshell.net/advisory/5

Limitations

This exploit has been tested against Ricoh SR10 FTP server 4.5.0.1 (SR10.exe 1.1.0.6) on Windows XP SP3 English (DEP OptIn).

Platforms

Windows

Back to exploit index