Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21188
HistoryJan 18, 2009 - 12:00 a.m.

TFTPUtil GUI TFTP Server Denial of Service Vulnerability

2009-01-1800:00:00
vulners.com
27
JSON

[–Vulnerability Summary–]

Title: TFTPUtil GUI TFTP Server Denial of Service Vulnerability
Product: TFTPUtil GUI

Discovered: November 26, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: k23productions (as per various download sites)
Vendor URL: http://sourceforge.net/projects/tftputil
Vendor notification date: December 1, 2008
Vendor response date: December 8, 2008
Vendor acknowledgment: December 8, 2008
Vendor provided fix: December 8, 2008
Release coordinated with the vendor: –
Public disclosure date: January 14, 2009

Affects: TFTPUtil GUI versions 1.2.0 and 1.3.0
Fixed in: 1.4.0
Risk: High

Vulnerability Description: TFTPUtil GUI versions 1.2.0 and 1.3.0 are vulnerable to a remote
denial-of-service vulnerability because it fails to handle user-supplied input. Sending a specially
crafted TFTP request with a overlong filename will cause the application to become unstable and stop
responding.

Impact: A remote or local attacker can exploit this flaw by sending a specially crafted packet to
the TFTP server. Successful exploitation of this flaw will cause the TFTP server process to crash
preventing valid users or devices from using the service. The TFTP server will need to be restarted
to resume normal TFTP server operations.

Keywords: security, vulnerability, tftp, dos, princeofnigeria, gui, windows, server, denial, service

[–Background–]

Type of vulnerability: Input validation flaw
Who can exploit it: Local or Remote users

TFTPUtil GUI is an application that provides services for transferring configuration files,
firmware files and other types of data using the TFTP protocol. The application should validate and
sanitize all user input to prevent unexpected conditions.

Vulnerability Scope: The default installation of TFTPUtil 1.20. or 1.3.0 will allow exploitation of
this vulnerability.

[–More Details–]

Exploitation of this flaw is trivial and can be executed using any RFC 1350 compliant TFTP client
software. No exploit code is required.

[–Fix or Workaround Information–]

Patch availability: 1.4.0
Vendor provided fix: 1.4.0
Workarounds: Upgrade to version 1.4.0 addresses this vulnerability

[–Disclosure Policy–]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[–Disclosure History–]

Public disclosure date: January 14, 2009

[–References–]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[–Author–]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

JSON