VanDyke AbsoluteFTP FTP Client LIST Overflow

Added: 12/12/2011
BID: 50614
OSVDB: 77105

Background

VanDyke AbsoluteFTP is a popular free FTP client. AbsoluteFTP was replaced by SecureFX in 1998, and support for AbsoluteFTP ended in 2007.

Problem

The AbsoluteFTP client contains a buffer overflow vulnerability when parsing file and directory listing replies from the server. The client tries to copy the file name to a fixed-length stack buffer without performing adequate validation.

Resolution

The vendor has discontinued support for AbsoluteFTP. Further usage of this product is not recommended.

References

http://www.vandyke.com/products/absoluteftp/index.html
http://secunia.com/advisories/46781/

Limitations

This exploit has been tested against VanDyke AbsoluteFTP 2.2.10 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).

Platforms

Windows

Back to exploit index