[Snort-sigs] Documentation sid 2337

Steven Alexander alexander.s at ...1565...
Fri Mar 12 11:22:02 EST 2004

TFTP PUT filename overflow attempt 
This attack is a buffer overflow using the PUT command in the atftpd and
TftpdNT daemons.


root privilege can be gained remotely.

Detailed Information:

The PUT commands in these TFTP daemons are not able to correctly handle
long filenames.  This rule checks to see that the  filename is 100
characters or less (including the terminating NULL).

Affected Systems:

atftpd 0.6.0 and 06.1.1 running on Debian Linux 3.0.
Tullerian TftpdNT 2.0 and earlier.

Attack Scenarios:
A remote or local attacker can use this attack against a vulnerable TPTP
daemon to gain root privileges.
Ease of Attack:

Easy; an exploit is publicly available for both ftp daemons.

False Positives:

Possible, it is well within the ability of non-vulnerable TFTP servers
to handle filenames in excess of 100 characters.

False Negatives:

None known.
Corrective Action:

Upgrade atftpd or TftpdNT.  Block access to TFTP from outside your local
network and/or trusted workstations.

Documentation - Steven Alexander<alexander.s at ...1565...>
Additional References:

More information about the Snort-sigs mailing list