CVE-2014-1215 – Local Code Execution in CoreFTP Core FTP Server

Vulnerability title: Local Code Execution in CoreFTP Core FTP Server
CVE: CVE-2014-1215
Vendor: CoreFTP
Product: Core FTP Server
Affected version: v1.2 build 505
Fixed version: v1.2 build 508
Reported by: Kyriakos Economou

Details:
Core FTP Server v1.2 build 505 (latest version) and possibly earlier versions, suffer from multiple buffer overflow vulnerabilities, when reading data from the config.dat file and/or Windows Registry using the lstrcpy and RegQueryValueEx functions without evaluating the size of the data based on the size of the destination buffer, which can lead to arbitrary code execution.

It is recommended to revise all code locations where the application
makes use of those functions.

Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1215/

Share