search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Ability Server vulnerable to buffer overflow

Vulnerability Note VU#857846

Original Release Date: 2004-12-22 | Last Revised: 2004-12-22


A buffer overflow in the Ability Server may allow remote authenticated attackers to execute arbitrary code.


A lack of input validation in Ability Server's FTP STOR command may allow a buffer overflow to occur. A remote authenticated attacker may be able to exploit this vulnerability by supplying the Ability Server with a specially crafted FTP STOR command.

According to reports, Ability Server versions 2.34, 2.25. and 2.32 are vulnerable. However, other versions may also be affected.


A remote authenticated attacker may be able to execute arbitrary code with the privileges of the Ability Server process or cause a denial-of-service condition.


We are currently unaware of a practical solution to this problem.

Block or Restrict Access

Block or restrict access to the Ability Server from untrusted hosts.


The Ability Server has been discontinued. Ability Server users are encouraged to upgrade to the Ability FTP Server to correct this issue.

Vendor Information


Code-Crafters Unknown

Notified:  December 17, 2004 Updated: December 22, 2004



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was publicly reported in a Security Tracker Advisory.Security Tracker credits K-Otik with providing information regarding this issue.

This document was written by Jeff Gennari.

Other Information

CVE IDs: None
Severity Metric: 12.94
Date Public: 2004-10-21
Date First Published: 2004-12-22
Date Last Updated: 2004-12-22 19:54 UTC
Document Revision: 70

Sponsored by CISA.