CVE-2017-18047
Description
Buffer overflow in LabF nfsAxe 3.7 FTP client allows remote attackers to execute arbitrary code via a long reply from a malicious FTP server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in LabF nfsAxe 3.7 FTP client allows remote attackers to execute arbitrary code via a long reply from a malicious FTP server.
Vulnerability
LabF nfsAxe version 3.7 contains a buffer overflow vulnerability in its FTP client component. When the client connects to an FTP server and receives a long reply, the client fails to properly validate the length of the response, leading to a stack-based buffer overflow. This vulnerability is triggered upon connection, specifically when the server sends a crafted reply that overwrites the Structured Exception Handler (SEH) record [1][2][3]. The affected version is 3.7; no other versions are mentioned in the references.
Exploitation
An attacker must set up a malicious FTP server that sends a specially crafted long reply to the victim's nfsAxe FTP client. The victim must connect to the attacker-controlled server (e.g., by using the client to connect to the attacker's IP). No authentication is required; the exploit works with anonymous login [1]. The exploit code overwrites the SEH record and uses a pop/pop/ret gadget to achieve code execution [2]. The exploit has been demonstrated on Windows 7 (x86) and Windows Vista [1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the victim's machine with the privileges of the user running the nfsAxe FTP client. This can lead to full compromise of the system, including installation of malware, data exfiltration, or further lateral movement. The payload in the exploit examples is a reverse TCP meterpreter shell [1][2].
Mitigation
As of the publication date (2018-01-22), no official patch or fixed version has been released by LabF. The vendor's website (http://www.labf.com) may no longer be active; the software appears to be end-of-life. The only mitigation is to avoid using nfsAxe 3.7 or to restrict outbound FTP connections to trusted servers. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the time of writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking on the FTP server's "220" banner reply allows a stack buffer overflow in the nfsAxe 3.7 FTP client."
Attack vector
An attacker sets up a malicious FTP server that, upon receiving a client connection, sends a crafted "220" reply containing a long buffer. The nfsAxe FTP client connects to the server (e.g., by logging in as "anonymous") and copies this oversized reply into a fixed-size stack buffer without bounds checking. This overwrites the Structured Exception Handler (SEH) record, allowing the attacker to hijack execution flow via a stack pivot and ROP chain, ultimately executing arbitrary shellcode [ref_id=1].
Affected code
The vulnerable component is the FTP client in LabF nfsAxe 3.7. The exploit targets the client's handling of the FTP "220" banner reply, which is sent by the server upon connection. The client does not validate the length of this reply before copying it into a stack buffer, leading to a buffer overflow.
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or remediation guidance. To mitigate the vulnerability, users should avoid connecting to untrusted FTP servers with nfsAxe 3.7 or apply input-length validation on the client side to reject overly long server replies.
Preconditions
- configThe victim must use LabF nfsAxe 3.7 FTP client
- inputThe victim must connect to an attacker-controlled FTP server (e.g., by selecting 'anonymous' login)
- authNo authentication is required; the overflow occurs during the initial banner exchange
- networkThe attacker's FTP server must be reachable from the victim's network
Reproduction
1. Run the provided Python script on the attacker machine (listens on port 21). 2. On the victim machine (Windows 7 x86 with nfsAxe 3.7), launch the FTP client and connect to the attacker's IP. 3. Check "anonymous" login and click connect. 4. The malicious "220" banner reply triggers the buffer overflow, executing the embedded shellcode [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/42011/mitreexploitx_refsource_EXPLOIT-DB
- www.exploit-db.com/exploits/43236/mitreexploitx_refsource_EXPLOIT-DB
- www.exploit-db.com/exploits/43518/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.