1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184
|
Rule:
--
Sid:
1941
--
Summary:
This event is generated by an attempt to exploit a buffer overflow in TFTP file handling routines.
--
Impact:
Implementation Dependent. Several implementations of TFTP are vulnerable to a
buffer overflow when processing long TFTP get requests. This could allow
arbitrary code execution or result in a Denial of Service condition.
--
Detailed Information:
Insufficient bounds checking on requested filenames results in a simple to
exploit buffer overflow condition. This condition can be exploited by making
a request for an overly long file name.
Affected Systems:
Cisco IOS 11.1
Cisco IOS 11.2
Cisco IOS 11.3
ATFTP 0.6.0 and 0.6.1.1
--
Attack Scenarios:
Attackers with access to TFTP can exploit this condition remotely by
requesting an overly long file name.
--
Ease of Attack
Depending on the configuration of the TFTP server this vulnerability can be exploited with a simple script. Currently several exploits exist in the wild.
--
False Positives:
Requests for legitimate file names of 100 or more bytes will trigger this rule.
--
False Negatives
Currently this rule checks for the existance of a file name of 100 or more bytes. Vulnerable TFTP implemenations that experience faults with file names less than 100 bytes will not trigger this rule.
--
Corrective Action
Cisco:
For Cisco IOS 11.1, 11.2, 11.3 it is recommended that the TFTP service be disabled. Cisco does not plan on releasing a patch for this problem.
It may also be possible to mitigate this problem by creating an alias for all filenames being served via the TFTP service.
Example:
tftp-server flash rsp-jv-mz.111-24a alias CiscoIOS
AFTP:
Debian Upgrade atftp_0.6.0woody1_alpha.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_alpha.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_alpha.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_alpha.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_arm.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_arm.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_arm.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_arm.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_i386.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_i386.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_i386.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_i386.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_ia64.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_ia64.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_ia64.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_ia64.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_hppa.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_hppa.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_hppa.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_hppa.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_m68k.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_m68k.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_m68k.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_m68k.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_mips.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_mips.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_mips.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_mips.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_mipsel.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_mipsel.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_mipsel.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_mipsel.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_powerpc.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_powerpc.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_powerpc.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_powerpc.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_s390.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_s390.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_s390.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_s390.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_sparc.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_sparc.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_sparc.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_sparc.deb
Debian GNU/Linux 3.0 alias woody.
--
Contributors
Original rule writer unknown
Sourcefire Research Team
Matthew Watchinski matt.watchinski@sourcefire.com
--
Reference:
Bugtraq:
http://www.securityfocus.com/bid/5328
CVE:
CAN-2002-0813
--
|