J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: ATFTPD Remote Filename Length Buffer Overrun Vulnerability

Severity: CRITICAL

Description:

atftpd is a multi-threaded TFTP server available for the GNU/Linux operating system. It can be invoked by the inetd superserver only and as a result is run with root privileges.

A vulnerability has been reported for aftpd. The problem is said to occur due to insufficient bounds checking when handling filenames of excessive length. By attempting to upload a file containing a name of approximately 253 or more bytes of data, it may be possible to trigger a buffer overrun. This could result in the corruption of sensitive stack variables, such as a function pointer or saved return address.

The overrun specifically occurs during a call to the tftpd_send_file() function within the tftpd_file.c source file. The affected function fails to sufficiently calculate the size of data currently located within the filename[] buffer. This occurs during a call to strncat() when appending the user-supplied data to the buffer. Due to the miscalculation, the attacker is capable of copying MAXLEN (252) + the length of the directory name into a buffer of size MAXLEN, effectively corrupting adjacent stack variables.

The successful exploitation of this issue would result in an attacker corrupting memory in such a way as to seize control of the process. By returning the program into attacker-supplied instructions, it may be possible to execute arbitrary commands with root privileges.

Affected Products:

  • atftpd atftpd 0.6.0 .0
  • atftpd atftpd 0.6.1 .1

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.