A high-severity buffer overflow in MiniFtp allows local users to escalate privileges and execute arbitrary code by exploiting the configuration parsing mechanism.

A buffer overflow exists in the parseconf_load_setting function of MiniFtp. This vulnerability is exploitable by a local, authenticated attacker who can supply oversized configuration values, leading to memory corruption and arbitrary code execution.

While the attack requires local access, the ability to execute arbitrary code typically leads to full system compromise and privilege escalation. With a CVSS score of 8.4, the risk to internal system integrity and the confidentiality of hosted files is high, particularly in multi-user environments.

Immediate Action: Apply the latest security updates for MiniFtp that include bounds checking for the parseconf_load_setting function.

Proactive Monitoring: Monitor for unauthorized changes to FTP configuration files and review system audit logs for unusual process executions originating from the MiniFtp service.

Compensating Controls: Use filesystem permissions to strictly limit who can modify configuration files and employ security software that detects buffer overflow attempts (e.g., DEP/ASLR).

Public Exploit Available: false

Despite the local requirement for exploitation, the high CVSS score of 8.4 demands immediate remediation. Administrators should patch MiniFtp immediately to prevent local attackers from gaining elevated control over the server.