Cerebrus FTP server 3.0 crash bug

Home Forums General Report a Bug Cerebrus FTP server 3.0 crash bug

  • This topic is empty.
Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
  • #29883

    Reporting a security issue. Version 3.0 can be crashed by sending an FTP command longer than 1400 bytes. Its not clear to me if this vulnerability is exploitable in any way that would allow code execution, but an attacker can crash the FTP server.

    CWD AAAAAA … [1400+ bytes]

    Note, I was able to crash the server with any command that is a valid command with an argument of 1400+ bytes. When it crashes the application kicks out an exception code of c0000417, STATUS_INVALID_CRUNTIME_PARAMETER. I also tested with string sizes 200, 500, 700, but the crash only occurs when the string length is equal to or greater than 1400 bytes.

    Problem signature:

    Problem Event Name: BEX

    Application Name: CerberusGUI.exe

    Application Version:

    Application Timestamp: 4a726319

    Fault Module Name: MSVCR90.dll

    Fault Module Version: 9.0.30729.4148

    Fault Module Timestamp: 4a594c79

    Exception Offset: 000375b4

    Exception Code: c0000417

    Exception Data: 00000000

    OS Version: 6.0.6001.

    Locale ID: 1033

    Additional Information 1: 5279

    Additional Information 2: 89d8199162307e605d4bbbed7bae4368

    Additional Information 3: 01c5

    Additional Information 4: 13926f9fb65e55e70738bba3548c7666


    Using Cerebrus FTP server 3.0 Professional

    Build date: 2009/07/30


    Hello strace,

    I will check out the report and post a fix if necessary. The bug shouldn’t be exploitable as I use all secure C runtime functions for parsing (thus the CRUNTIME notice). Of course, using the secure C runtime isn’t a guarantee of safety but I will look into the issue and patch it immediately if I can duplicate it.

    If you discover any additional issues I would appreciate you emailing me first to give me a chance to examine and patch any potential security vulnerabilities.



    Confirmed the problem. There is no potential for a buffer overflow. The code checks properly for size before trying to use the buffer. Unfortunately, I have CRT set to terminate the program if a string longer than the buffer is passed in.

    Thanks for the bug report. I have a fix ready and I will hopefully be able to get it out sometime tomorrow.


    Excellent. Glad to have helped out.




    I wanted to see if a fix were in place for this yet. Once you can confirm a fix I am going to send out a report to bugtraq/full_disclosure mailing lists. This bug has been assigned CVE-2009-2763. Additionally, its also tentatively classified as an instance of CWE-755 Improper Handling of Exceptional Conditions.

    While I have shared details about the vulnerability with members of the CVE & CWE teams, aside from this forum all details remain non-public. Once a fix is confirmed I will send out a notice to the security lists.



    Tom Stracener



    Yes, version 3.0.2 fixed the problem and several security sites picked up our change log and have posted details on the vulnerability. Most have listed it as a “Denial of Service Vulnerability”.

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.
Close Cart

Shopping Cart