BootManage TFTPD is a TFTP server for Windows implemented in BootManage
Administrator.
Although exist TFTP servers for other platforms on the bootix website,
only this 32 bit version for Windows is the most updated.
The TFTP server is affected by a buffer-overflow vulnerability
exploitable with a filename longer than 32 bytes when used for building
the log string: sprintf(buffer, "%s: %s", filename, log_entry)
#######################################################################
Luigi Auriemma
Application: BootManage TFTPD
http://www.bootix.com/products/administrator_en.html
Versions: <= 1.99 (BootManage Administrator <= 7.1)
Platforms: Windows
Bug: buffer-overflow
Exploitation: remote
Date: 16 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
BootManage TFTPD is a TFTP server for Windows implemented in BootManage
Administrator.
Although exist TFTP servers for other platforms on the bootix website,
only this 32 bit version for Windows is the most updated.
#######################################################################
======
2) Bug
======
The TFTP server is affected by a buffer-overflow vulnerability
exploitable with a filename longer than 32 bytes when used for building
the log string: sprintf(buffer, "%s: %s", filename, log_entry)
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/tftpx.zip
tftpx -f SERVER 2000 none
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
[ reply ]