Vulnerability Note VU#857846

Ability Server vulnerable to buffer overflow

Overview

A buffer overflow in the Ability Server may allow remote authenticated attackers to execute arbitrary code.

I. Description

A lack of input validation in Ability Server's FTP STOR command may allow a buffer overflow to occur. A remote authenticated attacker may be able to exploit this vulnerability by supplying the Ability Server with a specially crafted FTP STOR command.

According to reports, Ability Server versions 2.34, 2.25. and 2.32 are vulnerable. However, other versions may also be affected.

II. Impact

A remote authenticated attacker may be able to execute arbitrary code with the privileges of the Ability Server process or cause a denial-of-service condition.

III. Solution

We are currently unaware of a practical solution to this problem.

Block or Restrict Access

Block or restrict access to the Ability Server from untrusted hosts.

Upgrade

The Ability Server has been discontinued. Ability Server users are encouraged to upgrade to the Ability FTP Server to correct this issue.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Code-Crafters	Unknown	22-Dec-2004

References

http://securitytracker.com/alerts/2004/Oct/1011858.html
http://securityfocus.com/bid/11508/
http://www.osvdb.org/11030

Credit

This vulnerability was publicly reported in a Security Tracker Advisory.

Security Tracker credits K-Otik with providing information regarding this issue.

This document was written by Jeff Gennari.

Other Information

Date Public:	2004-10-21
Date First Published:	2004-12-22
Date Last Updated:	2004-12-22
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	12.94
Document Revision:	69

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader