Tftpd32 GET/PUT Command File Name Handling Overflow
2006-11-18T00:00:00
ID TFTPD32_FILENAME_OVERFLOW.NASL Type nessus Reporter Tenable Modified 2018-11-15T00:00:00
Description
The remote host appears to be running Tftpd32, a tftpd server for Windows.
The version of Tftpd32 installed on the remote host appears to be affected by a buffer overflow vulnerability involving long filenames.
By leveraging this flaw, a remote attacker may be able to crash the server or to execute code on the affected host subject to the privileges under which the server operates, possibly SYSTEM since the application can be configured to run as a service.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(23650);
script_version("1.19");
script_cvs_date("Date: 2018/11/15 20:50:29");
script_cve_id("CVE-2006-6141");
script_bugtraq_id(21148);
script_name(english:"Tftpd32 GET/PUT Command File Name Handling Overflow");
script_summary(english:"Checks for a buffer overflow vulnerability in Tftpd32");
script_set_attribute(attribute:"synopsis", value:"The remote TFTP server is affected by a buffer overflow vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host appears to be running Tftpd32, a tftpd server for
Windows.
The version of Tftpd32 installed on the remote host appears to be
affected by a buffer overflow vulnerability involving long filenames.
By leveraging this flaw, a remote attacker may be able to crash the
server or to execute code on the affected host subject to the
privileges under which the server operates, possibly SYSTEM since the
application can be configured to run as a service.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/451951/30/0/threaded");
script_set_attribute(attribute:"solution", value:"Unknown at this time.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/18");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
script_dependencies("tftpd_detect.nasl");
script_require_keys("Services/udp/tftp", "Settings/ParanoidReport");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
port = get_kb_item("Services/udp/tftp");
if (!port) port = 69;
function tftp_get(port, file) {
local_var data, filter, i, ip, req, res, sport, tries, udp;
if (isnull(port)) port = 69;
if (isnull(file)) return NULL;
req = raw_string(
0x00, 0x01, # Get
file, 0x00, # file
"netascii", 0x00 # as netascii
);
ip = forge_ip_packet(
ip_hl:5,
ip_v:4,
ip_tos:0,
ip_len:20,
ip_id:rand(),
ip_off:0,
ip_ttl:64,
ip_p:IPPROTO_UDP,
ip_src:this_host()
);
sport = rand() % 64512 + 1024;
udp = forge_udp_packet(
ip:ip,
uh_sport:sport,
uh_dport:port,
uh_ulen:8 + strlen(req),
data:req
);
filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';
tries = 2;
for (i=0; i < tries; i++) {
res = send_packet(
udp,
pcap_active:TRUE,
pcap_filter:filter,
pcap_timeout:1
);
if (res) break;
}
# If there's a result, return the data.
if (res) {
return get_udp_element(udp:res, element:"data");
}
}
function tftp_write(port, file) {
local_var data, filter, i, ip, req, res, sport, tries, udp;
if (isnull(port)) port = 69;
if (isnull(file)) return NULL;
req = raw_string(
0x00, 0x02, # Write
file, 0x00, # file
"netascii", 0x00 # as netascii
);
ip = forge_ip_packet(
ip_hl:5,
ip_v:4,
ip_tos:0,
ip_len:20,
ip_id:rand(),
ip_off:0,
ip_ttl:64,
ip_p:IPPROTO_UDP,
ip_src:this_host()
);
sport = rand() % 64512 + 1024;
udp = forge_udp_packet(
ip:ip,
uh_sport:sport,
uh_dport:port,
uh_ulen:8 + strlen(req),
data:req
);
filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';
tries = 2;
for (i=0; i < tries; i++) {
res = send_packet(
udp,
pcap_active:TRUE,
pcap_filter:filter,
pcap_timeout:1
);
if (res) break;
}
# If there's a result, return the data.
if (res) {
return get_udp_element(udp:res, element:"data");
}
}
# If the server is up...
file = string(SCRIPT_NAME, "-", unixtime());
res = tftp_get(port:port, file:file);
if (!isnull(res)) {
# Try to exploit it by writing a file with a long name.
res = tftp_write(port:port, file:file+crap(200)+".txt");
# If we didn't get anything back...
if (isnull(res)) {
# Test the server again.
res = tftp_get(port:port, file:file);
# There's a problem if we didn't get anything back.
if (isnull(res)) security_warning(port:port, protocol:"udp");
}
}
{"id": "TFTPD32_FILENAME_OVERFLOW.NASL", "bulletinFamily": "scanner", "title": "Tftpd32 GET/PUT Command File Name Handling Overflow", "description": "The remote host appears to be running Tftpd32, a tftpd server for Windows.\n\nThe version of Tftpd32 installed on the remote host appears to be affected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the server or to execute code on the affected host subject to the privileges under which the server operates, possibly SYSTEM since the application can be configured to run as a service.", "published": "2006-11-18T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=23650", "reporter": "Tenable", "references": ["https://www.securityfocus.com/archive/1/451951/30/0/threaded"], "cvelist": ["CVE-2006-6141"], "type": "nessus", "lastseen": "2019-02-21T01:09:35", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2006-6141"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "The remote host appears to be running Tftpd32, a tftpd server for Windows.\n\nThe version of Tftpd32 installed on the remote host appears to be affected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the server or to execute code on the affected host subject to the privileges under which the server operates, possibly SYSTEM since the application can be configured to run as a service.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "a003dbfee9d26796b36723f9be07f390dcb91c3af5d2201d5fa9d1cd81145982", "hashmap": [{"hash": "d2aa29f535ead867ca8870af5a13ea18", "key": "cvelist"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "3a4a358d54a3afc38778067bfa26f839", "key": "published"}, {"hash": "4aa58edb34f602274ca6991a8056c136", "key": "modified"}, {"hash": "3e7654d21f194a07602455cdd417077a", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "5c797024cc715160881bf71d1b1db9f8", "key": "description"}, {"hash": "45c7cae4b772fbb12cf4630969cbb7a0", "key": "title"}, {"hash": "51cb8efc21e2f073d9261b4d059ed96d", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "2ade29be5d27062a2625497a45f4bfe9", "key": "sourceData"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "2e77fab96bbaebdfc3eda6a9a061e2e5", "key": "references"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23650", "id": "TFTPD32_FILENAME_OVERFLOW.NASL", "lastseen": "2018-09-01T23:52:09", "modified": "2018-08-01T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23650", "published": "2006-11-18T00:00:00", "references": ["http://www.securityfocus.com/archive/1/451951/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23650);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/08/01 17:36:15\");\n\n script_cve_id(\"CVE-2006-6141\");\n script_bugtraq_id(21148);\n\n script_name(english:\"Tftpd32 GET/PUT Command File Name Handling Overflow\");\n script_summary(english:\"Checks for a buffer overflow vulnerability in Tftpd32\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote TFTP server is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Tftpd32, a tftpd server for\nWindows.\n\nThe version of Tftpd32 installed on the remote host appears to be\naffected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the\nserver or to execute code on the affected host subject to the\nprivileges under which the server operates, possibly SYSTEM since the\napplication can be configured to run as a service.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/451951/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/11/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"tftpd_detect.nasl\");\n script_require_keys(\"Services/udp/tftp\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"Services/udp/tftp\");\nif (!port) port = 69;\n\n\nfunction tftp_get(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x01, # Get\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\nfunction tftp_write(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x02, # Write\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\n# If the server is up...\nfile = string(SCRIPT_NAME, \"-\", unixtime());\nres = tftp_get(port:port, file:file);\nif (!isnull(res)) {\n # Try to exploit it by writing a file with a long name.\n res = tftp_write(port:port, file:file+crap(200)+\".txt\");\n\n # If we didn't get anything back...\n if (isnull(res)) {\n # Test the server again.\n res = tftp_get(port:port, file:file);\n\n # There's a problem if we didn't get anything back.\n if (isnull(res)) security_warning(port:port, protocol:\"udp\");\n }\n}\n", "title": "Tftpd32 GET/PUT Command File Name Handling Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["references", "modified", "sourceData"], "edition": 4, "lastseen": "2018-09-01T23:52:09"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2006-6141"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "The remote host appears to be running Tftpd32, a tftpd server for Windows.\n\nThe version of Tftpd32 installed on the remote host appears to be affected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the server or to execute code on the affected host subject to the privileges under which the server operates, possibly SYSTEM since the application can be configured to run as a service.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "698431a405b6f1b63d5d3a9f52cbca08951ac5f98936bcbd91cc23d004ba2e78", "hashmap": [{"hash": "d2aa29f535ead867ca8870af5a13ea18", "key": "cvelist"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "3a4a358d54a3afc38778067bfa26f839", "key": "published"}, {"hash": "3e7654d21f194a07602455cdd417077a", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "5c797024cc715160881bf71d1b1db9f8", "key": "description"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "45c7cae4b772fbb12cf4630969cbb7a0", "key": "title"}, {"hash": "8eb0a19e3a65b6a7402eb8764e07fb58", "key": "references"}, {"hash": "51cb8efc21e2f073d9261b4d059ed96d", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "2e3e663dc2e4fbc44625b502b0a241ec", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23650", "id": "TFTPD32_FILENAME_OVERFLOW.NASL", "lastseen": "2018-11-17T03:04:53", "modified": "2018-11-15T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23650", "published": "2006-11-18T00:00:00", "references": ["https://www.securityfocus.com/archive/1/451951/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23650);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2006-6141\");\n script_bugtraq_id(21148);\n\n script_name(english:\"Tftpd32 GET/PUT Command File Name Handling Overflow\");\n script_summary(english:\"Checks for a buffer overflow vulnerability in Tftpd32\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote TFTP server is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Tftpd32, a tftpd server for\nWindows.\n\nThe version of Tftpd32 installed on the remote host appears to be\naffected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the\nserver or to execute code on the affected host subject to the\nprivileges under which the server operates, possibly SYSTEM since the\napplication can be configured to run as a service.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/451951/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/11/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"tftpd_detect.nasl\");\n script_require_keys(\"Services/udp/tftp\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"Services/udp/tftp\");\nif (!port) port = 69;\n\n\nfunction tftp_get(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x01, # Get\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\nfunction tftp_write(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x02, # Write\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\n# If the server is up...\nfile = string(SCRIPT_NAME, \"-\", unixtime());\nres = tftp_get(port:port, file:file);\nif (!isnull(res)) {\n # Try to exploit it by writing a file with a long name.\n res = tftp_write(port:port, file:file+crap(200)+\".txt\");\n\n # If we didn't get anything back...\n if (isnull(res)) {\n # Test the server again.\n res = tftp_get(port:port, file:file);\n\n # There's a problem if we didn't get anything back.\n if (isnull(res)) security_warning(port:port, protocol:\"udp\");\n }\n}\n", "title": "Tftpd32 GET/PUT Command File Name Handling Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["description"], "edition": 5, "lastseen": "2018-11-17T03:04:53"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2006-6141"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "The remote host appears to be running Tftpd32, a tftpd server for\nWindows.\n\nThe version of Tftpd32 installed on the remote host appears to be\naffected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the\nserver or to execute code on the affected host subject to the\nprivileges under which the server operates, possibly SYSTEM since the\napplication can be configured to run as a service.", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-01-16T20:07:01", "references": [{"idList": ["OSVDB:30502"], "type": "osvdb"}, {"idList": ["VU:632633"], "type": "cert"}, {"idList": ["CVE-2006-6141"], "type": "cve"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "ddbc19f2b3584c862143d5507fffcdb668786926d268aca541849764702641ca", "hashmap": [{"hash": "d2aa29f535ead867ca8870af5a13ea18", "key": "cvelist"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "3a4a358d54a3afc38778067bfa26f839", "key": "published"}, {"hash": "3e7654d21f194a07602455cdd417077a", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "45c7cae4b772fbb12cf4630969cbb7a0", "key": "title"}, {"hash": "7604588593ce66a0b59ead84cf96019a", "key": "description"}, {"hash": "8eb0a19e3a65b6a7402eb8764e07fb58", "key": "references"}, {"hash": "51cb8efc21e2f073d9261b4d059ed96d", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "2e3e663dc2e4fbc44625b502b0a241ec", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23650", "id": "TFTPD32_FILENAME_OVERFLOW.NASL", "lastseen": "2019-01-16T20:07:01", "modified": "2018-11-15T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23650", "published": "2006-11-18T00:00:00", "references": ["https://www.securityfocus.com/archive/1/451951/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23650);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2006-6141\");\n script_bugtraq_id(21148);\n\n script_name(english:\"Tftpd32 GET/PUT Command File Name Handling Overflow\");\n script_summary(english:\"Checks for a buffer overflow vulnerability in Tftpd32\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote TFTP server is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Tftpd32, a tftpd server for\nWindows.\n\nThe version of Tftpd32 installed on the remote host appears to be\naffected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the\nserver or to execute code on the affected host subject to the\nprivileges under which the server operates, possibly SYSTEM since the\napplication can be configured to run as a service.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/451951/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/11/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"tftpd_detect.nasl\");\n script_require_keys(\"Services/udp/tftp\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"Services/udp/tftp\");\nif (!port) port = 69;\n\n\nfunction tftp_get(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x01, # Get\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\nfunction tftp_write(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x02, # Write\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\n# If the server is up...\nfile = string(SCRIPT_NAME, \"-\", unixtime());\nres = tftp_get(port:port, file:file);\nif (!isnull(res)) {\n # Try to exploit it by writing a file with a long name.\n res = tftp_write(port:port, file:file+crap(200)+\".txt\");\n\n # If we didn't get anything back...\n if (isnull(res)) {\n # Test the server again.\n res = tftp_get(port:port, file:file);\n\n # There's a problem if we didn't get anything back.\n if (isnull(res)) security_warning(port:port, protocol:\"udp\");\n }\n}\n", "title": "Tftpd32 GET/PUT Command File Name Handling Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["description"], "edition": 6, "lastseen": "2019-01-16T20:07:01"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2006-6141"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "The remote host appears to be running Tftpd32, a tftpd server for Windows.\n\nThe version of Tftpd32 installed on the remote host appears to be affected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the server or to execute code on the affected host subject to the privileges under which the server operates, possibly SYSTEM since the application can be configured to run as a service.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "a003dbfee9d26796b36723f9be07f390dcb91c3af5d2201d5fa9d1cd81145982", "hashmap": [{"hash": "d2aa29f535ead867ca8870af5a13ea18", "key": "cvelist"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "3a4a358d54a3afc38778067bfa26f839", "key": "published"}, {"hash": "4aa58edb34f602274ca6991a8056c136", "key": "modified"}, {"hash": "3e7654d21f194a07602455cdd417077a", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "5c797024cc715160881bf71d1b1db9f8", "key": "description"}, {"hash": "45c7cae4b772fbb12cf4630969cbb7a0", "key": "title"}, {"hash": "51cb8efc21e2f073d9261b4d059ed96d", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "2ade29be5d27062a2625497a45f4bfe9", "key": "sourceData"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "2e77fab96bbaebdfc3eda6a9a061e2e5", "key": "references"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23650", "id": "TFTPD32_FILENAME_OVERFLOW.NASL", "lastseen": "2018-08-02T08:03:18", "modified": "2018-08-01T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23650", "published": "2006-11-18T00:00:00", "references": ["http://www.securityfocus.com/archive/1/451951/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23650);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/08/01 17:36:15\");\n\n script_cve_id(\"CVE-2006-6141\");\n script_bugtraq_id(21148);\n\n script_name(english:\"Tftpd32 GET/PUT Command File Name Handling Overflow\");\n script_summary(english:\"Checks for a buffer overflow vulnerability in Tftpd32\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote TFTP server is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Tftpd32, a tftpd server for\nWindows.\n\nThe version of Tftpd32 installed on the remote host appears to be\naffected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the\nserver or to execute code on the affected host subject to the\nprivileges under which the server operates, possibly SYSTEM since the\napplication can be configured to run as a service.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/451951/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/11/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"tftpd_detect.nasl\");\n script_require_keys(\"Services/udp/tftp\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"Services/udp/tftp\");\nif (!port) port = 69;\n\n\nfunction tftp_get(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x01, # Get\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\nfunction tftp_write(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x02, # Write\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\n# If the server is up...\nfile = string(SCRIPT_NAME, \"-\", unixtime());\nres = tftp_get(port:port, file:file);\nif (!isnull(res)) {\n # Try to exploit it by writing a file with a long name.\n res = tftp_write(port:port, file:file+crap(200)+\".txt\");\n\n # If we didn't get anything back...\n if (isnull(res)) {\n # Test the server again.\n res = tftp_get(port:port, file:file);\n\n # There's a problem if we didn't get anything back.\n if (isnull(res)) security_warning(port:port, protocol:\"udp\");\n }\n}\n", "title": "Tftpd32 GET/PUT Command File Name Handling Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-02T08:03:18"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2006-6141"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote host appears to be running Tftpd32, a tftpd server for Windows.\n\nThe version of Tftpd32 installed on the remote host appears to be affected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the server or to execute code on the affected host subject to the privileges under which the server operates, possibly SYSTEM since the application can be configured to run as a service.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "2cd0f36dd77eba8ab2227861d726068ddd3ffda32dbf64241a919b268decbc2a", "hashmap": [{"hash": "d2aa29f535ead867ca8870af5a13ea18", "key": "cvelist"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "3a4a358d54a3afc38778067bfa26f839", "key": "published"}, {"hash": "4aa58edb34f602274ca6991a8056c136", "key": "modified"}, {"hash": "3e7654d21f194a07602455cdd417077a", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "5c797024cc715160881bf71d1b1db9f8", "key": "description"}, {"hash": "45c7cae4b772fbb12cf4630969cbb7a0", "key": "title"}, {"hash": "51cb8efc21e2f073d9261b4d059ed96d", "key": "pluginID"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "2ade29be5d27062a2625497a45f4bfe9", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "2e77fab96bbaebdfc3eda6a9a061e2e5", "key": "references"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23650", "id": "TFTPD32_FILENAME_OVERFLOW.NASL", "lastseen": "2018-08-30T19:46:51", "modified": "2018-08-01T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23650", "published": "2006-11-18T00:00:00", "references": ["http://www.securityfocus.com/archive/1/451951/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23650);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/08/01 17:36:15\");\n\n script_cve_id(\"CVE-2006-6141\");\n script_bugtraq_id(21148);\n\n script_name(english:\"Tftpd32 GET/PUT Command File Name Handling Overflow\");\n script_summary(english:\"Checks for a buffer overflow vulnerability in Tftpd32\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote TFTP server is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Tftpd32, a tftpd server for\nWindows.\n\nThe version of Tftpd32 installed on the remote host appears to be\naffected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the\nserver or to execute code on the affected host subject to the\nprivileges under which the server operates, possibly SYSTEM since the\napplication can be configured to run as a service.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/451951/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/11/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"tftpd_detect.nasl\");\n script_require_keys(\"Services/udp/tftp\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"Services/udp/tftp\");\nif (!port) port = 69;\n\n\nfunction tftp_get(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x01, # Get\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\nfunction tftp_write(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x02, # Write\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\n# If the server is up...\nfile = string(SCRIPT_NAME, \"-\", unixtime());\nres = tftp_get(port:port, file:file);\nif (!isnull(res)) {\n # Try to exploit it by writing a file with a long name.\n res = tftp_write(port:port, file:file+crap(200)+\".txt\");\n\n # If we didn't get anything back...\n if (isnull(res)) {\n # Test the server again.\n res = tftp_get(port:port, file:file);\n\n # There's a problem if we didn't get anything back.\n if (isnull(res)) security_warning(port:port, protocol:\"udp\");\n }\n}\n", "title": "Tftpd32 GET/PUT Command File Name Handling Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:46:51"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2006-6141"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "The remote host appears to be running Tftpd32, a tftpd server for Windows.\n\nThe version of Tftpd32 installed on the remote host appears to be affected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the server or to execute code on the affected host subject to the privileges under which the server operates, possibly SYSTEM since the application can be configured to run as a service.", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "6cc623ede394121ae5e0df196a50ecf70ecee78a84ff08d14d5784f887b2b3a5", "hashmap": [{"hash": "d2aa29f535ead867ca8870af5a13ea18", "key": "cvelist"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "3a4a358d54a3afc38778067bfa26f839", "key": "published"}, {"hash": "3e7654d21f194a07602455cdd417077a", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "5c797024cc715160881bf71d1b1db9f8", "key": "description"}, {"hash": "bb49e34f4d4aa29b384b00da62104a03", "key": "modified"}, {"hash": "45c7cae4b772fbb12cf4630969cbb7a0", "key": "title"}, {"hash": "79613559920fe0bdf535e9bffea5b9d1", "key": "sourceData"}, {"hash": "51cb8efc21e2f073d9261b4d059ed96d", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "2e77fab96bbaebdfc3eda6a9a061e2e5", "key": "references"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23650", "id": "TFTPD32_FILENAME_OVERFLOW.NASL", "lastseen": "2016-09-26T17:25:10", "modified": "2014-05-26T00:00:00", "naslFamily": "Windows", "objectVersion": "1.2", "pluginID": "23650", "published": "2006-11-18T00:00:00", "references": ["http://www.securityfocus.com/archive/1/451951/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23650);\n script_version(\"$Revision: 1.17 $\");\n script_cvs_date(\"$Date: 2014/05/26 16:32:07 $\");\n\n script_cve_id(\"CVE-2006-6141\");\n script_bugtraq_id(21148);\n script_osvdb_id(30502);\n\n script_name(english:\"Tftpd32 GET/PUT Command File Name Handling Overflow\");\n script_summary(english:\"Checks for a buffer overflow vulnerability in Tftpd32\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote TFTP server is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Tftpd32, a tftpd server for\nWindows.\n\nThe version of Tftpd32 installed on the remote host appears to be\naffected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the\nserver or to execute code on the affected host subject to the\nprivileges under which the server operates, possibly SYSTEM since the\napplication can be configured to run as a service.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/451951/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/11/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2014 Tenable Network Security, Inc.\");\n\n script_dependencies(\"tftpd_detect.nasl\");\n script_require_keys(\"Services/udp/tftp\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"Services/udp/tftp\");\nif (!port) port = 69;\n\n\nfunction tftp_get(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x01, # Get\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\nfunction tftp_write(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x02, # Write\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\n# If the server is up...\nfile = string(SCRIPT_NAME, \"-\", unixtime());\nres = tftp_get(port:port, file:file);\nif (!isnull(res)) {\n # Try to exploit it by writing a file with a long name.\n res = tftp_write(port:port, file:file+crap(200)+\".txt\");\n\n # If we didn't get anything back...\n if (isnull(res)) {\n # Test the server again.\n res = tftp_get(port:port, file:file);\n\n # There's a problem if we didn't get anything back.\n if (isnull(res)) security_warning(port:port, protocol:\"udp\");\n }\n}\n", "title": "Tftpd32 GET/PUT Command File Name Handling Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:25:10"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "d2aa29f535ead867ca8870af5a13ea18"}, {"key": "cvss", "hash": "84813b1457b92d6ba1174abffbb83a2f"}, {"key": "description", "hash": "5c797024cc715160881bf71d1b1db9f8"}, {"key": "href", "hash": "3e7654d21f194a07602455cdd417077a"}, {"key": "modified", "hash": "015cb78ce50d3bd4e2fbe18f25603329"}, {"key": "naslFamily", "hash": "aea23489ce3aa9b6406ebb28e0cda430"}, {"key": "pluginID", "hash": "51cb8efc21e2f073d9261b4d059ed96d"}, {"key": "published", "hash": "3a4a358d54a3afc38778067bfa26f839"}, {"key": "references", "hash": "8eb0a19e3a65b6a7402eb8764e07fb58"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "2e3e663dc2e4fbc44625b502b0a241ec"}, {"key": "title", "hash": "45c7cae4b772fbb12cf4630969cbb7a0"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "698431a405b6f1b63d5d3a9f52cbca08951ac5f98936bcbd91cc23d004ba2e78", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-6141"]}, {"type": "osvdb", "idList": ["OSVDB:30502"]}, {"type": "cert", "idList": ["VU:632633"]}], "modified": "2019-02-21T01:09:35"}, "score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23650);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2006-6141\");\n script_bugtraq_id(21148);\n\n script_name(english:\"Tftpd32 GET/PUT Command File Name Handling Overflow\");\n script_summary(english:\"Checks for a buffer overflow vulnerability in Tftpd32\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote TFTP server is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Tftpd32, a tftpd server for\nWindows.\n\nThe version of Tftpd32 installed on the remote host appears to be\naffected by a buffer overflow vulnerability involving long filenames.\nBy leveraging this flaw, a remote attacker may be able to crash the\nserver or to execute code on the affected host subject to the\nprivileges under which the server operates, possibly SYSTEM since the\napplication can be configured to run as a service.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/451951/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\"Unknown at this time.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/11/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"tftpd_detect.nasl\");\n script_require_keys(\"Services/udp/tftp\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n\nport = get_kb_item(\"Services/udp/tftp\");\nif (!port) port = 69;\n\n\nfunction tftp_get(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x01, # Get\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\nfunction tftp_write(port, file) {\n local_var data, filter, i, ip, req, res, sport, tries, udp;\n\n if (isnull(port)) port = 69;\n if (isnull(file)) return NULL;\n\n req = raw_string(\n 0x00, 0x02, # Write\n file, 0x00, # file\n \"netascii\", 0x00 # as netascii\n );\n\n ip = forge_ip_packet(\n ip_hl:5,\n ip_v:4,\n ip_tos:0,\n ip_len:20,\n ip_id:rand(),\n ip_off:0,\n ip_ttl:64,\n ip_p:IPPROTO_UDP,\n ip_src:this_host()\n );\n sport = rand() % 64512 + 1024;\n udp = forge_udp_packet(\n ip:ip,\n uh_sport:sport,\n uh_dport:port,\n uh_ulen:8 + strlen(req),\n data:req\n );\n\n filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';\n\n tries = 2;\n for (i=0; i < tries; i++) {\n res = send_packet(\n udp,\n pcap_active:TRUE,\n pcap_filter:filter,\n pcap_timeout:1\n );\n if (res) break;\n }\n\n # If there's a result, return the data.\n if (res) {\n return get_udp_element(udp:res, element:\"data\");\n }\n}\n\n\n# If the server is up...\nfile = string(SCRIPT_NAME, \"-\", unixtime());\nres = tftp_get(port:port, file:file);\nif (!isnull(res)) {\n # Try to exploit it by writing a file with a long name.\n res = tftp_write(port:port, file:file+crap(200)+\".txt\");\n\n # If we didn't get anything back...\n if (isnull(res)) {\n # Test the server again.\n res = tftp_get(port:port, file:file);\n\n # There's a problem if we didn't get anything back.\n if (isnull(res)) security_warning(port:port, protocol:\"udp\");\n }\n}\n", "naslFamily": "Windows", "pluginID": "23650", "cpe": [], "scheme": null}
{"cve": [{"lastseen": "2018-10-18T15:05:38", "bulletinFamily": "NVD", "description": "Buffer overflow in Tftpd32 3.01 allows remote attackers to cause a denial of service via a long GET or PUT request, which is not properly handled when the request is displayed in the title of the gauge window.", "modified": "2018-10-17T17:46:52", "published": "2006-11-27T21:07:00", "id": "CVE-2006-6141", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6141", "title": "CVE-2006-6141", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nVendor URL: http://tftpd32.jounin.net/\n[Secunia Advisory ID:22968](https://secuniaresearch.flexerasoftware.com/advisories/22968/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-11/0331.html\nISS X-Force ID: 30439\nFrSIRT Advisory: ADV-2006-4606\n[CVE-2006-6141](https://vulners.com/cve/CVE-2006-6141)\nBugtraq ID: 21148\n", "modified": "2006-11-16T06:49:55", "published": "2006-11-16T06:49:55", "href": "https://vulners.com/osvdb/OSVDB:30502", "id": "OSVDB:30502", "title": "TFTPD32 GET/PUT Command File Name Handling Overflow DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "cert": [{"lastseen": "2018-12-25T20:18:14", "bulletinFamily": "info", "description": "### Overview \n\nWyse Simple Imager (WSI) includes older versions version of TFTPD32 that contains publicly known vulnerabilities. An attacker could exploit these vulnerabilities to potentially execute arbitrary code on the system running WSI and TFTPD32.\n\n### Description \n\nWyse Simple Imager (WSI) is a component of Wyse Device Manager (WDM, formerly known as Wyse Rapport). WSI includes TFTPD32 as the TFTP service to load firmware images on client devices. The versions of TFTPD32 contains several known vulnerabilities. The following list of TFTPD32 vulnerabilities is based on public information:\n\n 1. [CVE-2002-2226](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-2226>) Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote attackers to execute arbitrary code via a long filename argument.\n 2. [CVE-2002-2237](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-2237>) tftp32 TFTP server 2.21 and earlier allows remote attackers to cause a denial of service via a GET request with a DOS device name such as `com1` or `aux`.\n 3. [CVE-2002-2353](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-2353>) tftpd32 2.50 and 2.50.2 allows remote attackers to read or write arbitrary files via a full pathname in GET and PUT requests.\n 4. [CVE-2006-0328](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0328>) Format string vulnerability in Tftpd32 2.81 allows remote attackers to cause a denial of service via format string specifiers in a filename in a (1) GET or (2) SEND request.\n 5. [CVE-2006-6141](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6141>) Buffer overflow in Tftpd32 3.01 allows remote attackers to cause a denial of service via a long GET or PUT request, which is not properly handled when the request is displayed in the title of the gauge window.\n 6. OSVDB ID: [12898](<http://osvdb.org/show/osvdb/12898>) Tftpd32 contains a flaw that may allow a remote denial of service. The issue is triggered when the server receives a TFTP request with a long filename, and will result in loss of availability for the service. \n--- \n \n### Impact \n\nAn attacker with network access to TFTPD32 could execute arbitrary code or cause a denial of service on a vulnerable system. \n \n--- \n \n### Solution \n\n**Use Wyse WDM and USB Imaging Tool** \nAccording to Wyse, WSI 1.3.x is a legacy product and its functionality is included in Wyse WDM 4.7.2 and Wyse USB Imaging Tool. Customers are strongly advised to migrate to WDM and USB Imaging Tool. Customers who are unable to migrate promptly, can refer to Wyse Knowledge Base article 18555 for remedial action. Wyse Knowledge Base is accessible through <http://suppport.wyse.com/>. \n \n**Upgrade TFTPD32** \n \nUpgrade TFTPD32 by [downloading](<http://tftpd32.jounin.net/tftpd32_download.html>) the latest version. \n \nWSI 1.3.6 provides TFTPD32 version 2.0 in the directory `ftproot\\Rapport\\Tools\\sa\\til\\` and TFTPD32 version 2.80 in `ftproot\\Rapport\\Tools\\sa\\til\\TFTPD280\\`. Consider using TFTPD32 version 2.80 or downloading the most current version of TFTPD32. \n \nThis table is based on public information, a brief exchange with the author of TFTPD32, and limited testing. This information may not be completely accurate, please send corrections to [cert@cert.org](<mailto:cert@cert.org&subject=VU%23632633%20Feedback>). \n\n\n \n| **Vulnerability**| **Fixed Version**| **Wyse Resolution** \n---|---|--- \n[CVE-2002-2226](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-2226>)| 2.50.2| Addressed by WSB09-01 (using TFTPD32 version 2.80). \n[CVE-2002-2237](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-2237>)| 2.51| Addressed by WSB09-01 (using TFTPD32 version 2.80). \nCVE-2002-2353| 2.51| Addressed by WSB09-01 (using TFTPD32 version 2.80). \n[CVE-2006-0328](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0328>)| 2.8.2| ? \n[CVE-2006-6141](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6141>)| 3.10b| ? \nOSVDB ID: [12898](<http://osvdb.org/show/osvdb/12898>)| 2.80| Addressed by WSB09-01 (using TFTPD32 version 2.80). \n \n**Restrict Access to WSI** \n \nTo limit the exposure of TFTPD32, run WSI systems on a physically isolated network, such as a staging network where client devices are imaged before production deployment.. \n \n--- \n \n### Vendor Information\n\n632633\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ TFTPD32 \n\nUpdated: November 11, 2009 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe latest version of TFTPD32 is available [here](<http://tftpd32.jounin.net/tftpd32_download.html>).\n\n### __ __ Wyse \n\nNotified: July 04, 2009 Updated: November 19, 2009 \n\n**Statement Date: November 13, 2009**\n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nWSI 1.3.x is a legacy product and its functionality is included in Wyse WDM 4.7.2 and Wyse USB Imaging Tool. Customers are strongly advised to migrate to WDM and USB Imaging Tool.\n\nCustomers who are unable to migrate promptly, can refer to Wyse Knowledge Base article 18555 for remedial action. Wyse Knowledge Base is accessible through <http://suppport.wyse.com/>.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n<http://suppport.wyse.com/>\n\n### Addendum\n\nWSI 1.3.6 includes TFTPD32 versions 2.00 and 2.80.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23632633 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://tftpd32.jounin.net/tftpd32_news.html>\n * <http://tftpd32.jounin.net/tftpd32.html>\n * <http://osvdb.org/show/osvdb/12898>\n * <http://secway.org/advisory/ad20050108.txt>\n * <http://www.wyse.com/serviceandsupport/support/WSB09-01.zip>\n * <http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf>\n * <http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/>\n * <http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html>\n\n### Credit\n\nThese vulnerabilities were analyzed and reported by Kevin Finisterre of Netragard/SNOsoft and Art Manion. \n\nThis document was written by Art Manion. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-2226, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2226>) [CVE-2002-2237, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2237>) [CVE-2002-2353, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2353>) [CVE-2006-0328, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0328>) [CVE-2003-6141](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-6141>) \n---|--- \n**Severity Metric:****** | 13.51 \n**Date Public:** | 2009-07-10 \n**Date First Published:** | 2009-11-19 \n**Date Last Updated: ** | 2009-11-19 22:58 UTC \n**Document Revision: ** | 54 \n", "modified": "2009-11-19T22:58:00", "published": "2009-11-19T00:00:00", "id": "VU:632633", "href": "https://www.kb.cert.org/vuls/id/632633", "type": "cert", "title": "Wyse Simple Imager (WSI) includes vulnerable versions of TFTPD32", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}