[Snort-sigs] Sid 2337, again
alexander.s at ...1565...
Fri Mar 12 11:34:04 EST 2004
I sent this with some typos the first time:
TFTP PUT filename overflow attempt
This attack is a buffer overflow using the PUT command in the atftpd and
root privilege can be gained remotely.
The PUT commands in these TFTP daemons are not able to correctly handle
long filenames. This rule checks to see that the filename is 100
characters or less (including the terminating NULL).
atftpd 0.6.0 and 06.1.1 running on Debian Linux 3.0.
Tullerian TftpdNT 2.0 and earlier.
A remote or local attacker can use this attack against a vulnerable TFTP
daemon to gain root privileges.
Ease of Attack:
Easy; an exploit is publicly available for both TFTP daemons.
Possible, it is well within the ability of non-vulnerable TFTP servers
to handle filenames in excess of 100 characters.
Upgrade atftpd or TftpdNT. Block access to TFTP from outside your local
network and/or trusted workstations.
Documentation - Steven Alexander<alexander.s at ...1565...>
More information about the Snort-sigs