J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1537
    posted: 11/06/09
  • NSM Daily Update #1537
    posted: 11/06/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1537
    posted: 11/06/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/06/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/05/09

Title: WVTFTP Server Remote Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

The WvTftp server is an open source TFTP server released under the lesser GNU public license. It is available for the linux platform and is also included as part of the Nitix Server operating system.

A remote buffer overflow vulnerability affects WvTftp. This issue is due to a failure of the application to properly to do proper sanity checking on string value pairs in TFTP packets.

The problem presents itself when a malicious packet containing an option name with an excessively long integer value in ASCII format is sent to the affected server. Apparently in the 'new_connection()' method of the 'WvTFTPServer' server object located in the 'wvtftpserver.cc' file uses the 'atoi()' function, which is used to convert the ASCII represented integer value. The 'atoi()' function will convert the string into an integer until it reaches an ASCII character other than a number, and will return no error if the non-number character is not a NULL byte.

The 'atoi()' converted integer is then verified to be between 8 and 65464 bytes. The error occurs in that the NULL terminated value string is then trusted to be no longer than five bytes long and is copied into a finite heap buffer using a 'strcpy()' function call.

An attacker may leverage this issue to corrupt process heap memory, facilitating code execution and a compromise of the affected computer. It is also reported that the affected TFTP server runs with superuser privileges by default.

Although only WvTftp version 0.9 is reported vulnerable it is likely that earlier versions are vulnerable as well.

Affected Products:

  • Net Integration Technologies Inc. Nitix PE 0.0.0
  • Net Integration Technologies Inc. Nitix SB 0.0.0
  • Net Integration Technologies Inc. Nitix SE 0.0.0
  • Net Integration Technologies Inc. WvTftp 0.9.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.