Credit: Matt Bergin
Matt Bergin discovered a remote code execution vulnerability in the Microsoft FTP server. The vulnerability is caused due to a boundary error when encoding Telnet IAC characters in a FTP response (specifically the 0xFF character). This can be exploited without authenticating to the FTP service to cause a heap-based buffer overflow by sending an overly long, specially crafted FTP request. This vulnerability was exploited by Chris Valasek and Ryan Smith, who achieved EIP control and theorized that full exploitation is possible.