Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: tftp-hpa, buffer overflow via utimeout

July 2011 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can send a special TFTP query to the tftp-hpa daemon, in order to create an overflow, leading to a denial of service and possibly to code execution.

- Severity: 2/4
- Creation date: 04/07/2011

IMPACTED PRODUCTS

- OpenSUSE
- SUSE Linux Enterprise Server
- Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The tftp-hpa product implements a TFTP client and server.

By default, tftp-hpa retransmits packets after one second. This timeout can be modified by a client sending a TFTP "utimeout" query, with a value between 10000 and 255000000 micro seconds (10ms to 255 seconds).

The set_utimeout() function of the tftpd/tftpd.c file stores the received value in a "b_ret" array of 4 bytes, whereas the maximal length of the "utimeout" value is 10 bytes (size of 255000000 and one). Digits (character ’0’ to ’9’) are thus written after the end of the "b_ret" array.

An attacker can therefore send a special TFTP query to the tftp-hpa daemon, in order to create an overflow, leading to a denial of service and possibly to code execution.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/t...




See previous articles

    

See next articles