 |
|
|
by Tan Chew Keong
Release Date: 31 May 2005
FutureSoft TFTP Server 2000
provides an Internet-standard TFTP (Trivial File Transfer Protocol) server on any Windows NT 4.0 PC or server. It supports all TFTP clients that are RFC 1350-compliant, including those integrated into network devices, such as routers. TFTP Server 2000 runs as an NT Service and writes to the NT Event Log.
A buffer overflow vulnerability was found in TFTP Server 2000. This vulnerability may be exploited
by a malicious user to crash the server or to execute arbitrary code with LOCAL SYSTEM privilege. A directory
traversal vulnerability also exists. This vulnerability may be exploited to retrieve files outside the
TFTP root directory.
TFTP Server 2000 Evaluation Version 1.0.0.1 on English Win2K Pro SP4 and WinXP SP2.
This advisory documents two vulnerabilities in FutureSoft TFTP Server 2000. The first is a buffer overflow vulnerability
that may be exploited to crash the server or to execute abitrary code with LOCAL SYSTEM privilege. The second is a
directory traversal vunerability that may be exploited to retrieve files outside the TFTP root directory.
1. Overly Long Filename and Transfer-Mode String Buffer Overflow Vulnerability.
The buffer overflow is triggered when the TFTP server receives a Read Request (RRQ) or a Write Request (WRQ) packet
containing an overly long filename or transfer-mode string. This is illustrated using the example below.
A proper packet that requests for binary transfer of the file a.txt.
---------------------------
|RRQ|a.txt|NULL|octet|NULL|
---------------------------
A crafted packet with overly long filename string.
------------------------------------------
|RRQ|AAAAAAAAAAAAAAAA....|NULL|octet|NULL|
------------------------------------------
A crafted packet with overly long transfer mode string.
------------------------------------------
|RRQ|a.txt|NULL|AAAAAAAAAAAAAAA.....|NULL|
------------------------------------------
Unsafe copy of received filename string.
.text:004029AA push dword ptr [ebp+0Ch]
.text:004029AD lea eax, [ebp-118h]
.text:004029B3 push eax
.text:004029B4 call strcpy
Unsafe copy of received transfer mode string.
.text:004029D1 push eax
.text:004029D2 lea eax, [ebp-98h]
.text:004029D8 push eax
.text:004029D9 call strcpy
By sending an overly long transfer-mode string, we were able to overwrite both the SEH and the saved EIP. A subsequent
write-exception that will occur allows the transferring of execution to our shellcode via the overwritten SEH.
The following Ollydbg capture shows the SEH being overwritten by an overly long transfer-mode string. On our Win2K
test system, we were able to exploit this vulnerability to execute bindshell shellcode.
2. Directory Traversal Vulnerability.
TFTP Server 2000 allows files outside the TFTP root to be retrieved using directory traversal characters. Examples
are shown below.
C:\test>tftp -i 192.168.2.5 GET ../../../../../boot.ini
Transfer successful: 203 bytes in 1 second, 203 bytes/s
C:\test>tftp -i 192.168.2.5 GET ..\..\..\..\..\boot.ini
Transfer successful: 203 bytes in 1 second, 203 bytes/s
TFTP Server 2000 installs in C:\WINNT\SYSTEM32\ as tftpd.exe. This means that if Microsoft's TFTPD server is already
installed, TFTP Server 2000 will be overwritten and replaced with Microsoft's TFTPD server by Windows File Protection.
To ensure that the correct tftpd.exe is being tested, check that its file date is 9 June 1999 15:32, and file size is 40960.
- Vendor has been informed of these vulnerabilities by email. However, no reply was received.
18 May 05 - Vulnerability Discovered.
18 May 05 - Initial Vendor Notification. (no reply)
19 May 05 - Second Vendor Notification. (no reply)
31 May 05 - Public Release.
For further questions and enquries, email them to the following.
Overall-in-charge: Tan Chew Keong
webmaster@security.org.sg
|
 |
