Critical security advisory #006 tftpd32 Format string

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Critical security advisory #006
Tftpd32 2.81 Format String + DoS PoC
Critical Security - 22:03 2006.01.19
Critical Security research: http://www.critical.lt
Product site: http://tftpd32.jounin.net/
Credits : Critical Security Team (www.critical.lt)
Original Advisory: http://www.critical.lt/?vulnerabilities/200
Due to incorrect use of format strings there is a possibility of remote code execution. You can trigger this vulnerability
by sending SEND or GET request with a specially formated string. Vulnerable code:

LEA ECX,DWORD PTR SS:[ESP+430]
LEA EAX,DWORD PTR SS:[ESP+1C]
PUSH ECX                                 ; /Arglist
PUSH EDX                                 ; |Format
PUSH EAX                                 ; |s = 00E6F4E8
CALL DWORD PTR DS:[<&USER32.wvsprintfA>] ; \wvsprintfA

Proof of concept exploit:
http://www.critical.lt/research/tftpd32_281_dos.txt
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux