Topic: LeapFTP PASV reply parsing buffer overflow vulnerability

Affects: 	LeapFTP releases prior to 2.7.4
Announced:	2003-05-20
Credits:	nesumin [:: Operash ::]
Author:		cravey@leapware.com

0.	Advisory Revision History

v1.0	Initial Release

I.	Background

LeapFTP allows users to access servers via the PASV connection type.

II.	Problem Description

A buffer overflow vulnerability has been identified that may allow a
malicious server to execute arbitrary code on a system connecting with
LeapFTP. This vulnerability occurs during the parsing of the PASV reply
string from the server.

III.	Impact

When a LeapFTP user connects to a malicious server using PASV (Passive)
mode, that server, using a specially formed response, may cause arbitrary
code to be executed on the client computer with the privileges of the
LeapFTP application. PASV mode must be enabled for the client to
vulnerable to this attack. Due to the design of the FTP protocol, this is
most frequently done when either the client or the server is behind a
firewall.

IV.	Workaround

Disable PASV mode by going to the "PROXY" tab of the "Preferences Dialog"
and making sure that "Use PASV mode" and "Try alternate connection mode"
are NOT checked.

V.	Solution

Upgrade your LeapFTP client to version 2.7.4