Tried, Tested and Proven

Vulnerability title: Local Code Execution In Core FTP Server

CVE: CVE-2014-1215
Vendor: CoreFTP
Product: Core FTP Server
Affected version: v1.2 build 505
Fixed version: v1.2 build 508
Reported by: Kyriakos Economou


Core FTP Server v1.2 build 505 and possibly earlier versions, suffer from multiple buffer overflow vulnerabilities, when reading data from the config.dat file and/or Windows Registry using the lstrcpy and RegQueryValueEx functions without evaluating the size of the data based on the size of the destination buffer, which can lead to arbitrary code execution.


The application uses the data size returned by the first call to RegQueryValueExA in the second call to copy data to a static buffer without checking if the data size is actually bigger than the size of the buffer.

004168A0 |. 8D4424 1C LEA EAX, DWORD PTR SS:[ESP+1C]
004168A4 |. 50 PUSH EAX ; /pBufSize
004168A5 |. 6A 00 PUSH 0 ; |Buffer = NULL
004168A7 |. 8D4C24 20 LEA ECX, DWORD PTR SS:[ESP+20] ; |
004168AB |. 51 PUSH ECX ; |pValueType
004168AC |. 6A 00 PUSH 0 ; |Reserved = NULL
004168AE |. 56 PUSH ESI ; |ValueName
004168AF |. 52 PUSH EDX ; |hKey
004168B0 |. FFD7 CALL EDI ; \RegQueryValueExA
004168B2 |. 85C0 TEST EAX, EAX
004168B4 |. 75 1D JNZ SHORT coresrvr.004168D3
004168B6 |. 8D4424 1C LEA EAX, DWORD PTR SS:[ESP+1C]
004168BA |. 50 PUSH EAX ; /pBufSize
004168BB |. 8B4424 10 MOV EAX, DWORD PTR SS:[ESP+10] ; |
004168BF |. 8D4C24 24 LEA ECX, DWORD PTR SS:[ESP+24] ; |
004168C3 |. 51 PUSH ECX ; |Buffer
004168C4 |. 8D5424 20 LEA EDX, DWORD PTR SS:[ESP+20] ; |
004168C8 |. 52 PUSH EDX ; |pValueType
004168C9 |. 6A 00 PUSH 0 ; |Reserved = NULL
004168CB |. 56 PUSH ESI ; |ValueName
004168CC |. 50 PUSH EAX ; |hKey
004168CD |. FFD7 CALL EDI ; \RegQueryValueExA


This vulnerability allows local code execution.


The proof of concept exploit is available.

Vendor status:

03/12/2013 Advisory created
04/12/2013 Vendor contacted
04/12/2013 Vendor working on a fix
09/01/2014 Fix released
13/01/2014 Partial fix confirmed
14/01/2014 CVE obtained
18/02/2014 Published

Copyright © Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.