[转载]Crystal FTP Pro客户端LIST缓冲区溢出漏洞

信息来源：安全小组

Crystal FTP Pro Client LIST Buffer Overflow

Summary
Crystal FTP Pro is "a Top awarded FTP client for dummies and experts". A vulnerability in the way Crystal FTP Pro parses incoming LIST responses allows a remote attacker to cause the program to execute arbitrary code.

Details
Vulnerable Systems:
* Crystal FTP Pro version 2.8

Crystal FTP Pro client, does not perform bound checking on the results returned by 'LIST' command. A malicious ftp server, could execute arbitrary code on the target user's client, replies to a 'LIST' command request with a file list that contain a long file extension.

Example:
le.AAAAAAAAAAAA...(over 250 characters)

Additional information
The information has been provided by Luca Ercoli.