COMMAND

    cesarFTP

SYSTEMS AFFECTED

    cesarFTP v0.98b

PROBLEM

    'ByteRage' found following.   CesarFTP v0.98b is  vulnerable to  a
    buffer overflow when sending the  HELP command followed by a  very
    long string of characters.  Sending the following perl string:

        "HELP " . ("A" x 1978) . "CCCC\x00\x0D\x0A"

    Happily reroutes the  SERVER.EXE EIP to  43434343 ("CCCC").   This
    way, anyone can easily compromise the win9x/NT/2k system,  without
    the need to  be logged in.   The only tricky  part in writing  the
    exploit   is   that   SERVER.EXE   doesn't   have  LoadLibraryA  &
    GetProcAddress in it's  import table, but  there are enough  other
    functions that give  away enough power  to take over  the computer
    (registry  functions,  CreateDirectoryA,  CreateFileA,   ReadFile,
    WriteFile, ShellExecuteA, ...)

SOLUTION

    Vendor knows about it.