tftpd32 Format string

2006.01.21
Risk: Medium
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Critical security advisory #006 Tftpd32 2.81 Format String + DoS PoC Critical Security - 22:03 2006.01.19 Critical Security research: http://www.critical.lt Product site: http://tftpd32.jounin.net/ Credits : Critical Security Team (www.critical.lt) Original Advisory: http://www.critical.lt/?vulnerabilities/200 Due to incorrect use of format strings there is a possibility of remote code execution. You can trigger this vulnerability by sending SEND or GET request with a specially formated string. Vulnerable code: LEA ECX,DWORD PTR SS:[ESP+430] LEA EAX,DWORD PTR SS:[ESP+1C] PUSH ECX ; /Arglist PUSH EDX ; |Format PUSH EAX ; |s = 00E6F4E8 CALL DWORD PTR DS:[<&USER32.wvsprintfA>] ; wvsprintfA Proof of concept exploit: http://www.critical.lt/research/tftpd32_281_dos.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top