<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Stor - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/stor/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/stor/feed.xml" rel="self" type="application/rss+xml"/><item><title>FreeFloat FTP Server 1.0 STOR Command Buffer Overflow</title><link>https://feed.craftedsignal.io/briefs/2024-01-freefloat-ftp-overflow/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-freefloat-ftp-overflow/</guid><description>FreeFloat FTP Server 1.0 is vulnerable to a buffer overflow in the STOR command handler, enabling remote attackers to execute arbitrary code by sending a crafted STOR request with an oversized payload.</description><content:encoded><![CDATA[<p>FreeFloat FTP Server version 1.0 is susceptible to a buffer overflow vulnerability (CVE-2019-25614) within the handling of the STOR command. This flaw allows unauthenticated remote attackers to execute arbitrary code on the affected system. The attack involves sending a specially crafted STOR request to the FTP server, exploiting a lack of proper bounds checking when processing the incoming data. Successful exploitation grants the attacker complete control over the compromised server, potentially leading to data exfiltration, system disruption, or further lateral movement within the network. This vulnerability poses a significant risk to organizations utilizing the outdated and unsupported FreeFloat FTP Server 1.0 software.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker connects to the FTP server using anonymous credentials.</li>
<li>The attacker sends a &quot;STOR&quot; command to initiate a file upload.</li>
<li>The attacker sends a crafted payload with 247 bytes of padding.</li>
<li>The attacker includes a return address within the crafted payload to redirect execution flow.</li>
<li>The attacker injects shellcode into the payload to perform malicious actions.</li>
<li>The FTP server's STOR command handler processes the oversized payload without proper bounds checking.</li>
<li>The buffer overflow overwrites the return address on the stack.</li>
<li>Upon function return, execution jumps to the attacker-controlled shellcode, granting arbitrary code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this buffer overflow vulnerability allows remote attackers to execute arbitrary code on the FreeFloat FTP server. This can lead to complete system compromise, potentially resulting in data theft, denial-of-service, or further malicious activity within the network. Given the nature of FTP servers as data repositories, the impact can be significant for organizations using affected versions. The CVSS v3.1 score of 9.8 reflects the critical severity of this vulnerability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade or discontinue use of FreeFloat FTP Server 1.0 immediately, as it is no longer supported and contains known vulnerabilities.</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious FTP STOR Command Payload&quot; to identify potentially malicious STOR requests (see the <code>rules</code> section).</li>
<li>Monitor network traffic for unusually large payloads associated with FTP STOR commands.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>cve-2019-25614</category><category>buffer-overflow</category><category>ftp</category><category>stor</category><category>code-execution</category><category>windows</category></item></channel></rss>