===============================================================================
 zFtp Server <= 2011-04-13 | "STAT,CWD" Remote Denial of Service Vulnerability
===============================================================================


1. OVERVIEW

The zFTP server is found to be vulnerable to denial of service in handling STAT and CWD commands with overly large buffer. 


2. BACKGROUND

The zFTP server is a Windows based FTP server with focus on clever Active Directory integration and powerful, effortless administration.


3. VERSIONS AFFECTED

2011-04-13 and earlier


4. PROOF-OF-CONCEPT/EXPLOIT

http://www.exploit-db.com/exploits/18028/


5. SOLUTION

The vendor has released the patched version (http://download.zftpserver.com/zFTPServer_Suite_Setup.exe)


6. VENDOR

Vastgota-Data


7. CREDIT

This vulnerability was discovered by Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


8. DISCLOSURE TIME-LINE

2011-06-19: notified vendor through email
2011-10-17: vendor released fixed version, 2011-10-17 
2011-10-25: vulnerability disclosed


9. REFERENCES

Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/%5Bzftpserver_2011-04-13%5D_stat,cwd_dos
zFTP Server Home Page: http://zftpserver.com


#yehg [2011-10-25]