[VIM] AT-TFTP Server v1.8 Remote Denial of Service Vulnerability
George A. Theall
theall at tenable.com
Tue Apr 26 08:30:25 CDT 2011
Has anyone looked at the report of a DoS in AT-TFTP v1.8 server that
SecPod Research published and SecurityFocus covers with BID 47561?
Version 1.8 is rather old, and there have been at least two other
reports of issues in it:
- Luigi Auriemma reported a directory traversal as well as a buffer
overflow vulnerability in it back in 2004: http://aluigi.altervista.org/adv/attftp-adv.txt
(BID 11584).
- Pr0T3cT10n re-reported the directory traversal vulnerability in
1.8 in 2010 (EDB-ID 15438 / BID 44711). And s/he specifically gave as
a PoC a GET request for '../../../boot.ini'.
- Liu Qixu reported a (very similar?) buffer overflow that can be
triggered with a long file name in GET or PUT requests in v1.9 in
2006: http://www.securityfocus.com/archive/1/452743/30/0/threaded (BID
21320)
The PoC in SecPod's advisory is:
data ='\x00\x01\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x62\x6f\x6f' +\
'\x74\x2e\x69\x6e\x69\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00'
I don't see anything there that would overflow a buffer. Instead, it
decodes to a GET request for '../../../boot.ini' in NETASCII mode,
nearly identical to what Pr0T3cT10n had used in his report and very
similar to what Luigi Auriemma had. Thus, it makes me wonder if SecPod
posted the wrong exploit.
Thoughts?
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list