CVE-2020-19595

Vulnerability

A buffer overflow vulnerability exists in Core FTP Server v2 Build 697 (and earlier builds such as 583) during the processing of a crafted username in the FTP or SFTP authentication phase. Sending an overly long username string causes a buffer overflow that can overwrite the instruction pointer (EIP) [1]. The vulnerability is reachable without any prior authentication.

Exploitation

An unauthenticated attacker can exploit this by connecting to the Core FTP Server service and sending a username consisting of a large number of characters (e.g., 'A' repeated many times). No authentication or special privileges are required; the attacker only needs network access to the server. The reference describes that sending such a username causes the server to stop responding and hang, indicating a crash [1].

Impact

Successful exploitation results in denial of service (server crash or hang) and, if the overflow is carefully crafted, remote code execution. The reference demonstrates that on a system without memory protections (Windows XP SP3), the EIP can be overwritten, allowing arbitrary code execution with the privileges of the Core FTP Server process, which typically runs with SYSTEM or administrative rights [1].

Mitigation

No fix or workaround is disclosed in the available references. Users should contact the vendor for an updated version or apply any available patch. As of the publication date (2021-04-05), the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.