[VIM] AT-TFTP Server v1.8 Remote Denial of Service Vulnerability

George A. Theall theall at tenable.com
Tue Apr 26 08:30:25 CDT 2011

Has anyone looked at the report of a DoS in AT-TFTP v1.8 server that  
SecPod Research published and SecurityFocus covers with BID 47561?  
Version 1.8 is rather old, and there have been at least two other  
reports of issues in it:

   - Luigi Auriemma reported a directory traversal as well as a buffer  
overflow vulnerability in it back in 2004: http://aluigi.altervista.org/adv/attftp-adv.txt 
  (BID 11584).

   - Pr0T3cT10n re-reported the directory traversal vulnerability in  
1.8 in 2010 (EDB-ID 15438 / BID 44711). And s/he specifically gave as  
a PoC a GET request for '../../../boot.ini'.

   - Liu Qixu reported a (very similar?) buffer overflow that can be  
triggered with a long file name in GET or PUT requests in v1.9 in  
2006: http://www.securityfocus.com/archive/1/452743/30/0/threaded (BID  

The PoC in SecPod's advisory is:

   data ='\x00\x01\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x62\x6f\x6f' +\

I don't see anything there that would overflow a buffer. Instead, it  
decodes to a GET request for '../../../boot.ini' in NETASCII mode,  
nearly identical to what Pr0T3cT10n had used in his report and very  
similar to what Luigi Auriemma had. Thus, it makes me wonder if SecPod  
posted the wrong exploit.


theall at tenablesecurity.com

More information about the VIM mailing list