Turbo FTP Server versions 1.30.823 and 1.30.826 contain a buffer overflow vulnerability in the handling of the PORT command. By sending a specially crafted payload, an unauthenticated remote attacker can overwrite memory structures and execute arbitrary code with SYSTEM privileges.
The vulnerability (CWE-120) results from improper input validation when processing the PORT command of the FTP protocol. An attacker sends a specially crafted payload that causes a buffer overflow and overwrites critical memory structures of the server process. As a result, code execution can be redirected to shellcode controlled by the attacker.
An attacker gains the ability to execute arbitrary code (RCE) in the context of the SYSTEM account, which means complete takeover of the server. The confidentiality, integrity, and availability of both the system itself and resources connected to it are compromised.
Patches available from the vendor should be applied according to the references provided. Until updates are applied, it is recommended to restrict access to the FTP server port only to trusted IP addresses using a firewall and consider disabling the service if it is not essential.
Turbo FTP Server in versions 1.30.823 and 1.30.826
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X