[Snort-sigs] Sid 2337, again

Steven Alexander alexander.s at ...1565...
Fri Mar 12 11:34:04 EST 2004


I sent this with some typos the first time:

Rule:  
TFTP PUT filename overflow attempt 
--
Sid:
2337
--
Summary:
This attack is a buffer overflow using the PUT command in the atftpd and
TftpdNT daemons.

--
Impact:

root privilege can be gained remotely.

--
Detailed Information:

The PUT commands in these TFTP daemons are not able to correctly handle
long filenames.  This rule checks to see that the  filename is 100
characters or less (including the terminating NULL).

--
Affected Systems:

atftpd 0.6.0 and 06.1.1 running on Debian Linux 3.0.
Tullerian TftpdNT 2.0 and earlier.

--
Attack Scenarios:
 
A remote or local attacker can use this attack against a vulnerable TFTP
daemon to gain root privileges.
--
Ease of Attack:

Easy; an exploit is publicly available for both TFTP daemons.

--
False Positives:

Possible, it is well within the ability of non-vulnerable TFTP servers
to handle filenames in excess of 100 characters.

--
False Negatives:

None known.
--
Corrective Action:

Upgrade atftpd or TftpdNT.  Block access to TFTP from outside your local
network and/or trusted workstations.

--
Contributors:
Documentation - Steven Alexander<alexander.s at ...1565...>
-- 
Additional References:
http://www.securityfocus.com/bid/7819
http://www.securityfocus.com/bid/8505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0380








More information about the Snort-sigs mailing list