Ricoh DC Software DL-10 FTP Server USER Remote Code Execution

Added: 05/09/2012
BID: 52235
OSVDB: 79691


Various cameras (e.g. CX1-6, G700, G700SE) provided by Ricoh support transfering images to a PC over FTP. Ricoh supplies a small FTP server called SR-10 / Capftpd which enables users to transfer images from camera to computer.


The flaw is caused due to a boundary error in the SR10 FTP server when logging FTP commands. This can be exploited to cause a stack-based buffer overflow via long username sent to TCP port 21 but requires the "Log file name" option to be enabled (disabled by default).


No updates which address this vulnerability are available at this time. Until an update is available, discontinue use of this software or limit access to the vulnerable service.



This exploit has been tested against Ricoh SR10 FTP server (SR10.exe on Windows XP SP3 English (DEP OptIn).



Back to exploit index