zFtp Server <= 2011-04-13 | "STAT,CWD" Remote Denial of Service Vulnerability
1. OVERVIEW The zFTP server is found to be vulnerable to denial of service in handling STAT and CWD commands with overly large buffer requests. 2. BACKGROUND The zFTP server is a Windows based FTP server with focus on clever Active Directory integration and powerful, effortless administration. 3. VERSIONS AFFECTED 2011-04-13 and earlier 4. PROOF-OF-CONCEPT/EXPLOIT http://www.exploit-db.com/exploits/18028/ 5. SOLUTION The vendor has released the patched version ( http://download.zftpserver.com/zFTPServer_Suite_Setup.exe ) 6. VENDOR Vastgota-Data 7. CREDIT This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 8. DISCLOSURE TIME-LINE 2011-06-19: notified vendor through email 2011-10-17: vendor released fixed version, 2011-10-17 2011-10-25: vulnerability disclosed 9. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/[zftpserver_2011-04-13]_stat,cwd_dos zFTP Server Home Page: