Topic: LeapFTP filename parsing vulnerability

Affects: 	LeapFTP releases prior to 3.1
Announced:	2010-10-31
Credits:	corelanc0d3r (member of Corelan Team)
Author:		cravey@leapware.com

0.	Advisory Revision History

v1.0	Initial Release

I.	Background

LeapFTP allows remote servers to provide filenames

II.	Problem Description

A buffer overflow vulnerability has been identified that may allow a
malicious server to execute arbitrary code on a system connecting with
LeapFTP. This vulnerability occurs during the parsing of the filename
string from the server when a download starts. If a remote server
passes a filename longer than 255 bytes, a buffer overflow may
result.

III.	Impact

When a LeapFTP user connects to a malicious server, that server, using
a specially formed response, may cause arbitrary code to be executed on
the client computer with the privileges of the LeapFTP application.

IV.	Workaround

No workaround is available. LeapFTP 3.1 now prevents viewing of remote
files longer than 255 bytes to reflect filesystem limitations of Windows
Operating Systems.

V.	Solution

Upgrade your LeapFTP client to version 3.1