search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

FileCOPA FTP server vulnerable to buffer overflow

Vulnerability Note VU#713092

Original Release Date: 2006-09-29 | Last Revised: 2006-09-29

Overview

There is a buffer overflow vulnerability in the FileCOPA FTP server which may allow an attacker to execute arbitrary code.

Description

FileCOPA is an FTP server for Microsoft Windows that supports anonymous file transfers.

There is a buffer overflow vulnerability in the FileCOPA FTP service (filecpnt.exe) that may occur when malformed input is passed to the server using common FTP commands. If anonymous connections to the server are allowed, an attacker would not need valid user credentials to exploit this vulnerability.

Impact

A remote, unauthenticated attacker may execute arbitrary code.

Solution

Upgrade
Upgrade to FileCOPA version 1.01.


Disable Anonymous Access
Disabling anonymous access may mitigate the impact of this vulnerability.

Restrict Access
Restricting network access to the server may prevent remote attackers from exploiting this vulnerability.

Vendor Information

713092
 
Expand all

Intervations, Inc. Affected

Updated:  September 29, 2006

Status

Affected

Vendor Statement

We were first informed of this vulnerability on July 21st 2006. A fix was released that day and provided to all registered users (and users still using the 30 day trial) free of charge.

FileCOPA versions are dated. Any version showing a release date on the about screen newer than July 21st 2006 contains this patch.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Carsten Eiram, Secunia Research for reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2006-3768
Severity Metric: 1.03
Date Public: 2006-07-25
Date First Published: 2006-09-29
Date Last Updated: 2006-09-29 14:03 UTC
Document Revision: 27

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis