CVE-2003-0963

lftp <= 2.6.9 - Remote Code Execution via Long Directory Names in ls or rels Commands

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2003-0963. PoCs published by Li0n7.

AI-analyzed exploit summary This exploit targets a stack-based buffer overflow in lftp versions up to 2.6.9 via the `try_netscape_proxy()` function. It includes a custom shellcode for port binding and allows configuration for different targets and return addresses.

Description

Buffer overflows in (1) try_netscape_proxy and (2) try_squid_eplf for lftp 2.6.9 and earlier allow remote HTTP servers to execute arbitrary code via long directory names that are processed by the ls or rels commands.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Li0n7 · cremotelinux

https://www.exploit-db.com/exploits/143

View Code ZIP pw:eip

This exploit targets a stack-based buffer overflow in lftp versions up to 2.6.9 via the `try_netscape_proxy()` function. It includes a custom shellcode for port binding and allows configuration for different targets and return addresses.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: lftp versions up to 2.6.9

No auth needed

Prerequisites: Network access to the target · Target running a vulnerable version of lftp

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15

Core References

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/10525

Vendor Advisory vendor-advisory x_refsource_sgi

ftp://patches.sgi.com/support/free/security/advisories/20040202-01-U.asc

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=107167974714484&w=2

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2003-404.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2004/dsa-406

Vendor Advisory vendor-advisory x_refsource_mandrake

http://www.mandriva.com/security/advisories?name=MDKSA-2003:116

Vendor Advisory vendor-advisory x_refsource_suse

http://www.novell.com/linux/security/advisories/2003_051_lftp.html

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11180

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=107126386226196&w=2

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=107177409418121&w=2

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/10548

Vendor Advisory vendor-advisory x_refsource_sgi

ftp://patches.sgi.com/support/free/security/advisories/20040101-01-U

Mailing List vendor-advisory x_refsource_conectiva

http://marc.info/?l=bugtraq&m=107340499504411&w=2

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2003-403.html

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=107152267121513&w=2

Scores

EPSS 0.1368

EPSS Percentile 96.0%

Details

Status published

Products (11)

alexander_v._lukyanov/lftp 2.3

alexander_v._lukyanov/lftp 2.4.9

alexander_v._lukyanov/lftp 2.5.2

alexander_v._lukyanov/lftp 2.6.0

alexander_v._lukyanov/lftp 2.6.3

alexander_v._lukyanov/lftp 2.6.4

alexander_v._lukyanov/lftp 2.6.5

alexander_v._lukyanov/lftp 2.6.6

alexander_v._lukyanov/lftp 2.6.7

alexander_v._lukyanov/lftp 2.6.8

... and 1 more

Published Jan 05, 2004

Tracked Since Feb 18, 2026