Vigil@nce: tftp-hpa, buffer overflow via utimeout
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send a special TFTP query to the tftp-hpa daemon, in order to create an overflow, leading to a denial of service and possibly to code execution.
Creation date: 04/07/2011
SUSE Linux Enterprise Server
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The tftp-hpa product implements a TFTP client and server.
By default, tftp-hpa retransmits packets after one second. This timeout can be modified by a client sending a TFTP "utimeout" query, with a value between 10000 and 255000000 micro seconds (10ms to 255 seconds).
The set_utimeout() function of the tftpd/tftpd.c file stores the received value in a "b_ret" array of 4 bytes, whereas the maximal length of the "utimeout" value is 10 bytes (size of 255000000 and one). Digits (character ’0’ to ’9’) are thus written after the end of the "b_ret" array.
An attacker can therefore send a special TFTP query to the tftp-hpa daemon, in order to create an overflow, leading to a denial of service and possibly to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN