###############################################################################
AT-TFTP Server v1.8 Remote Denial of Service  Vulnerability

SecPod Technologies (www.secpod.com)
Author: Antu Sanadi
###############################################################################

SecPod ID: 1013					01/04/2011 Issue Discovered
						04/04/2011 Vendor Notified
						No Response from the Vendor
						25/04/2011 Advisory Released
					       

Class: Denial of Service			Severity: High


Overview:
---------
AT-TFTP Server v1.8 is prone to a remote Denial of Service vulnerability
as it fails to handle 'read' requests from the client properly.


Technical Description:
----------------------
The vulnerability is caused by an error in the "TFTPD.EXE" which causes the
server to crash when no acknowledgement response is sent back to the server
after a successful 'read'.


Impact:
--------
Successful exploitation could allow an attacker to crash a vulnerable server.


Affected Software:
------------------
AT-TFTP Server version 1.8

Tested on,
AT-TFTP Server version 1.8 on Windows XP SP3


References:
-----------
http://secpod.org/blog/?p=194
http://www.alliedtelesis.co.nz/
http://secpod.org/SecPod_AT_TFTP_DoS-POC.py
http://secpod.org/advisories/SecPod_AT_TFTP_DoS.txt


Proof of Concept:
----------------
http://secpod.org/blog/?p=194
http://secpod.org/SecPod_AT_TFTP_DoS-POC.py


Solution:
----------
Not available


Risk Factor:
-------------
    CVSS Score Report: 
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = LOW
        AUTHENTICATION         = NONE
        CONFIDENTIALITY_IMPACT = NONE
        INTEGRITY_IMPACT       = NONE
        AVAILABILITY_IMPACT    = COMPLETE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 7.8 (High) (AV:N/AC:L/Au:N/C:N/I:N/A:C)


Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerability.