1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
Rule:
--
Sid:
1941
--
Summary:
This event is generated by an attempt to exploit a buffer overflow in TFTP file handling routines.
--
Impact:
Implementation Dependent. Several implementations of TFTP are vulnerable to a
buffer overflow when processing long TFTP get requests. This could allow
arbitrary code execution or result in a Denial of Service condition.
--
Detailed Information:
Insufficient bounds checking on requested filenames results in a simple to
exploit buffer overflow condition. This condition can be exploited by making
a request for an overly long file name.
Affected Systems:
Cisco IOS 11.1
Cisco IOS 11.2
Cisco IOS 11.3
ATFTP 0.6.0 and 0.6.1.1
--
Attack Scenarios:
Attackers with access to TFTP can exploit this condition remotely by
requesting an overly long file name.
--
Ease of Attack
Depending on the configuration of the TFTP server this vulnerability can be exploited with a simple script. Currently several exploits exist in the wild.
--
False Positives:
Requests for legitimate file names of 100 or more bytes will trigger this rule.
--
False Negatives
Currently this rule checks for the existance of a file name of 100 or more bytes. Vulnerable TFTP implemenations that experience faults with file names less than 100 bytes will not trigger this rule.
--
Corrective Action
Cisco:
For Cisco IOS 11.1, 11.2, 11.3 it is recommended that the TFTP service be disabled. Cisco does not plan on releasing a patch for this problem.
It may also be possible to mitigate this problem by creating an alias for all filenames being served via the TFTP service.
Example:
tftp-server flash rsp-jv-mz.111-24a alias CiscoIOS
AFTP:
Debian Upgrade atftp_0.6.0woody1_alpha.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_alpha.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_alpha.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_alpha.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_arm.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_arm.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_arm.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_arm.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_i386.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_i386.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_i386.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_i386.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_ia64.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_ia64.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_ia64.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_ia64.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_hppa.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_hppa.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_hppa.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_hppa.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_m68k.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_m68k.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_m68k.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_m68k.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_mips.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_mips.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_mips.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_mips.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_mipsel.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_mipsel.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_mipsel.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_mipsel.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_powerpc.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_powerpc.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_powerpc.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_powerpc.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_s390.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_s390.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_s390.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_s390.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftp_0.6.0woody1_sparc.deb
http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_sparc.deb
Debian GNU/Linux 3.0 alias woody.
Debian Upgrade atftpd_0.6.0woody1_sparc.deb
http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_sparc.deb
Debian GNU/Linux 3.0 alias woody.
--
Contributors
Original rule writer unknown
Sourcefire Research Team
Matthew Watchinski matt.watchinski@sourcefire.com
--
Reference:
Bugtraq:
http://www.securityfocus.com/bid/5328
CVE:
CAN-2002-0813
--
|
