Vigil@nce - OpenBSD: double free of TFTP
April 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the TFTP service is enabled, an attacker can send a malformed
option, in order to trigger a double memory free, which leads to a
denial of service and possibly to code execution.
Impacted products: OpenBSD
Severity: 2/4
Creation date: 22/03/2013
DESCRIPTION OF THE VULNERABILITY
When a TFTP client sends a query with an option, a TFTP server
sends the OACK (Option Acknowledgment) packet, in order to confirm
the option processing.
The oack() function of the usr.sbin/tftpd/tftpd.c file sends OACK
packets. If an error occurs, this function frees a memory area.
However, this area is freed twice in the calling tftp_open()
function.
When the TFTP service is enabled, an attacker can therefore send a
malformed option, in order to trigger a double memory free, which
leads to a denial of service and possibly to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenBSD-double-free-of-TFTP-12552