A remote overflow exists in Ability Server. The application fails to perform proper bounds checking resulting in a buffer overflow. By issuing an overly long string to the 'APPE' command, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Exploit code was provided by email@example.com and Dark Eagle. The discoverer of this issue is currently unknown.
Further information about the APPE command was provided by Justin Walpole.
Code-Crafters Ability Server 2.3.4
Code-Crafters Ability Server 2.3.2
Code-Crafters Ability Server 2.2.5
Ability Server is reported prone to a remote buffer overflow vulnerability. This issue affects the FTP component of the application and arises due to insufficient boundary checks performed by the FTP server.
A successful attack can result in memory corruption leading to a crash, however, if an attacker is able to overwrite sensitive memory addresses, they could execute code on a computer. Arbitrary code execution occurs in the context of the FTP process and may result in unauthorized access to the vulnerable computer.
Ability Server versions 2.34 and prior were identified to be vulnerable to this issue.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.