Vigil@nce: tftp-hpa, buffer overflow via utimeout
July 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send a special TFTP query to the tftp-hpa daemon,
in order to create an overflow, leading to a denial of service and
possibly to code execution.
– Severity: 2/4
– Creation date: 04/07/2011
IMPACTED PRODUCTS
– OpenSUSE
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The tftp-hpa product implements a TFTP client and server.
By default, tftp-hpa retransmits packets after one second. This
timeout can be modified by a client sending a TFTP "utimeout"
query, with a value between 10000 and 255000000 micro seconds
(10ms to 255 seconds).
The set_utimeout() function of the tftpd/tftpd.c file stores the
received value in a "b_ret" array of 4 bytes, whereas the maximal
length of the "utimeout" value is 10 bytes (size of 255000000 and
one). Digits (character ’0’ to ’9’) are thus written after the end
of the "b_ret" array.
An attacker can therefore send a special TFTP query to the
tftp-hpa daemon, in order to create an overflow, leading to a
denial of service and possibly to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/tftp-hpa-buffer-overflow-via-utimeout-10803