| VID |
16070 |
| Severity |
40 |
| Port |
21 |
| Protocol |
TCP |
| Class |
FTP |
| Detailed Description |
The remote Serv-U FTP server, according to its version number, is vulnerable to a buffer overflow in the LIST command.
RhinoSoft Serv-U FTP is an FTP server for Microsoft Windows operating systems. Serv-U FTP versions 5.0.0.4 and earlier are vulnerable to a buffer overflow, caused by improper handling of arguments to the LIST requests. A remote attacker could supply a long -l parameter (containing approximately 134 bytes) to the LIST command to overflow a buffer and cause the server to crash. A remote attacker, who is authenticated, can supply a LIST command with a specially-crafted value to overflow a buffer and cause the server to crash. This issue may also be leveraged to execute code on the affected system with the privileges of the user that invoked the vulnerable application, although this has not been confirmed.
* Note: This check solely relied on the version number of the remote FTP server to assess this vulnerability, so this might be a false positive.
* References:
http://www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html
http://www.securityfocus.com/archive/1/361990
* Platforms Affected:
Rhino Software, Inc. Serv-U FTP Server 5.0.0.4 and earlier
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of Serv-U (5.0.0.6 or later), available from the Serv-U Web site at http://www.serv-u.com/ |
| Related URL |
CVE-2004-1992 (CVE) |
| Related URL |
10181 (SecurityFocus) |
| Related URL |
15913 (ISS) |
|
