January 20th, 2003, 02:30 PM
CuteFTP 5.0 XP - Buffer Overflow!
A new vulnerability has been found in CuteFTP's most recent release.
The author of this vulnerability has contacted the vendor, GlobalSCAPE, with details of the vulnerability, who have subsequently said they were working on an upgraded version of CuteFTP which would be available to download, as of today, 20/1/03. But nothing on the vendor site as of yet!
This could allow arbitary code to be executed on the remote victims machine,
if the attacker is
successfull in luring a victim onto his server.
When a FTP Server is responding to a "LIST" (directory listing) command, the
response is sent
over a data connection. Sending 257 bytes over this connection will cause a
buffer to overflow,
and the EIP register can be overwritten completely by sending 260 bytes of
CuteFTP 5.0 XP, Buffer Overflow
So anyone currently running this s/w, keep an eye on CuteFTP for the upgrade!
January 20th, 2003, 02:56 PM
Also, I would recommend switching to WS_FTP. Its a great piece of software, and I've never had any problems with it. You atleast might want to switch to it until you find the upgrade/patch for CuteFTP.
You can find WS_FTP at CNet's ever-popular, download.com
January 20th, 2003, 03:11 PM
I've tried CuteFTP XP and the way it's setup for an FTP program is absolutely insane. You're definitely better off getting the Pro version and ditching the XP version all together. Nicer setup, ease of use, and I've never had a problem with Pro.