CVE-2017-14742
Description
Buffer overflow in LabF nfsAxe FTP client 3.7 allows remote attackers to execute arbitrary code via a crafted FTP server response.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in LabF nfsAxe FTP client 3.7 allows remote attackers to execute arbitrary code via a crafted FTP server response.
Vulnerability
A buffer overflow vulnerability exists in LabF nfsAxe FTP client version 3.7. When connecting to a malicious FTP server, the client receives a specially crafted response that overwrites the Structured Exception Handler (SEH) record, leading to arbitrary code execution. The vulnerability is triggered when the user connects to the server and logs in as anonymous [1].
Exploitation
An attacker must set up a malicious FTP server and send a crafted buffer to the client upon connection. The exploit, published in the OffSec Exploit Database, targets Windows 7 (x86) and requires the victim to connect as anonymous [1]. No additional authentication or user interaction beyond connecting is needed.
Impact
Successful exploitation allows remote code execution in the context of the FTP client process, enabling the attacker to gain full control over the victim's system [1].
Mitigation
As of the time of disclosure, no official fix or patch has been released by LabF for nfsAxe FTP client 3.7. Users are advised to avoid using this vulnerable version and consider alternative FTP clients [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- LabF/nfsAxe FTP clientdescription
- Range: = 3.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Buffer overflow in the FTP client's handling of the server's directory response string allows SEH overwrite."
Attack vector
An attacker sets up a malicious FTP server and waits for a victim running nfsAxe 3.7 to connect. The victim logs in as anonymous (the default option in the client) [ref_id=1]. After the login handshake, the server sends a crafted `220` response containing an oversized buffer that overwrites the Structured Exception Handler (SEH) record on the client's stack [ref_id=1]. The SEH overwrite triggers a stack pivot gadget that redirects execution into a ROP chain, ultimately calling VirtualProtect to make the heap executable and then running shellcode [ref_id=1]. No authentication is required beyond the anonymous login that the client offers by default.
Affected code
The vulnerable component is the LabF nfsAxe FTP client version 3.7. The exploit targets the client's handling of the FTP "current directory" response (the `220` banner line) after a successful anonymous login. The specific function or file within the client is not identified in the advisory.
What the fix does
No patch or vendor fix is documented in the advisory. The exploit targets LabF nfsAxe FTP client version 3.7, and the advisory does not indicate that a patched version was ever released [ref_id=1]. Remediation would require the vendor to add bounds checking on the FTP server's response buffer before copying it into stack memory, preventing the SEH overwrite.
Preconditions
- networkVictim must connect to the attacker-controlled FTP server using the nfsAxe 3.7 client
- inputVictim must log in as anonymous (the client's default option)
- authNo authentication credentials are required beyond the anonymous login
Reproduction
1. Run the provided Python script on the attacker machine (it listens on port 21). 2. On the victim Windows 7 (x86) machine, open LabF nfsAxe FTP client 3.7. 3. Enter the attacker's IP address as the server. 4. Check the "anonymous" login checkbox and click "Connect". 5. The client receives the malicious `220` response and the SEH overwrite triggers code execution [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/43236/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.