Buffer-overflow in BootManage TFTPD 1.99

2008-03-17T00:00:00
ID SECURITYVULNS:DOC:19431
Type securityvulns
Reporter Securityvulns
Modified 2008-03-17T00:00:00

Description

                         Luigi Auriemma

Application: BootManage TFTPD http://www.bootix.com/products/administrator_en.html Versions: <= 1.99 (BootManage Administrator <= 7.1) Platforms: Windows Bug: buffer-overflow Exploitation: remote Date: 16 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

BootManage TFTPD is a TFTP server for Windows implemented in BootManage Administrator. Although exist TFTP servers for other platforms on the bootix website, only this 32 bit version for Windows is the most updated.

====== 2) Bug ======

The TFTP server is affected by a buffer-overflow vulnerability exploitable with a filename longer than 32 bytes when used for building the log string: sprintf(buffer, "%s: %s", filename, log_entry)

=========== 3) The Code ===========

http://aluigi.org/testz/tftpx.zip

tftpx -f SERVER 2000 none

====== 4) Fix ======

No fix


Luigi Auriemma http://aluigi.org