Vulnerabilities > CVE-2003-0380 - Unspecified vulnerability in Atftpd 0.6.0/0.6.1.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in atftp daemon (atftpd) 0.6.1 and earlier, and possibly later versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Exploit-Db
description | Atftpd 0.6 Remote Root Exploit (atftpdx.c). CVE-2003-0380. Remote exploit for linux platform |
id | EDB-ID:39 |
last seen | 2016-01-31 |
modified | 2003-06-10 |
published | 2003-06-10 |
reporter | gunzip |
source | https://www.exploit-db.com/download/39/ |
title | Atftpd 0.6 - Remote Root Exploit atftpdx.c |
Nessus
NASL family Gain a shell remotely NASL id TFTPD_OVERFLOW.NASL description The remote TFTP server dies when it receives a too big UDP datagram. An attacker may use this flaw to disable the server, or even execute arbitrary code on the system. last seen 2020-06-01 modified 2020-06-02 plugin id 18264 published 2005-05-16 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18264 title TFTPD Server Filename Handling Remote Overflow code # # (C) Tenable Network Security, Inc. # # Not tested against a vulnerable server! include("compat.inc"); if (description) { script_id(18264); script_version("1.21"); script_cvs_date("Date: 2019/03/06 18:38:55"); # Not sure for 10526 or 11584 # BID=6043 / CVE-2002-1542 is different script_cve_id("CVE-2002-0813", "CVE-2003-0380"); script_bugtraq_id(401, 5328, 7819); script_name(english:"TFTPD Server Filename Handling Remote Overflow"); script_summary(english:"Crashes TFTPD with a big UDP datagram"); script_set_attribute(attribute:"synopsis", value: "The remote host has an application that is affected by a buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "The remote TFTP server dies when it receives a too big UDP datagram. An attacker may use this flaw to disable the server, or even execute arbitrary code on the system."); script_set_attribute(attribute:"solution", value:"Upgrade software, or disable this service."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/16"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); # Not an ACT_DESTRUCTIVE_ATTACK (see CVE-2002-0813), should be an ACT_KILL_HOST # but sending 700+ packets is slow script_category(ACT_FLOOD); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gain a shell remotely"); script_require_keys("Services/udp/tftp", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("dump.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( TARGET_IS_IPV6 ) exit(0); if(islocalhost()) exit(0); # ? # This function cannot yet send UDP packets bigger than the MTU # TBD: write 'fragment_packet' function function tftp_ping(port, huge) { local_var req, rep, sport, ip, u, filter, data, i; debug_print('tftp_ping: huge=', huge, '\n'); if (huge) req = '\x00\x01'+crap(huge)+'\0netascii\0'; else req = '\x00\x01Nessus'+rand()+'\0netascii\0'; sport = rand() % 64512 + 1024; ip = forge_ip_packet(ip_hl : 5, ip_v: 4, ip_tos:0, ip_len:20, ip_off:0, ip_ttl:64, ip_p:IPPROTO_UDP, ip_src: compat::this_host()); u = forge_udp_packet(ip:ip, uh_sport: sport, uh_dport:port, uh_ulen: 8 + strlen(req), data:req); filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00'; data = NULL; for (i = 0; i < 2; i ++) # Try twice { rep = send_packet(u, pcap_active:TRUE, pcap_filter:filter); if(rep) { if (debug_level > 2) dump(ddata: rep, dtitle: 'TFTP (IP)'); data = get_udp_element(udp: rep, element:"data"); if (debug_level > 1) dump(ddata: data, dtitle: 'TFTP (UDP)'); if (data[0] == '\0' && (data[1] == '\x03' || data[1] == '\x05')) { debug_print('tftp_ping(port=', port, ',huge=', huge, ') succeeded\n'); return TRUE; } } } debug_print('tftp_ping(port=', port, ',huge=', huge, ') failed\n'); return FALSE; } # port = get_kb_item('Services/udp/tftp'); if (! port) port = 69; if (get_kb_item('tftp/'+port+'/backdoor')) exit(0); if (! tftp_ping(port: port)) exit(0); start_denial(); # 700 is good for CISCO, and more than enough for atftpd # 1000 might be necessary WinAgents, but the flaw might be different tftp_ping(port: port, huge: 1000); # I'll check this first, in case the device reboots tftpalive = tftp_ping(port: port); alive = end_denial(); if (! alive) { report = string("\n\n", "The remote device freezes or reboots when a too big UDP datagram","\n", "is sent to the TFTP server.", "\n"); security_hole(port: port, proto: "udp", extra:report); } else if (! tftpalive) security_hole(port: port, proto: "udp"); if (! alive || ! tftpalive) set_kb_item(name: 'tftp/'+port+'/overflow', value: TRUE);
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-314.NASL description Rick Patel discovered that atftpd is vulnerable to a buffer overflow when a long filename is sent to the server. An attacker could exploit this bug remotely to execute arbitrary code on the server. last seen 2020-06-01 modified 2020-06-02 plugin id 15151 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15151 title Debian DSA-314-1 : atftp - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-314. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15151); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0380"); script_xref(name:"DSA", value:"314"); script_name(english:"Debian DSA-314-1 : atftp - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Rick Patel discovered that atftpd is vulnerable to a buffer overflow when a long filename is sent to the server. An attacker could exploit this bug remotely to execute arbitrary code on the server." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-314" ); script_set_attribute( attribute:"solution", value: "For the stable distribution (woody), this problem has been fixed in version 0.6.1.1.0woody1. The old stable distribution (potato) does not contain an atftp package. We recommend that you update your atftp package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:atftp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/06/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"atftp", reference:"0.6.0woody1")) flag++; if (deb_check(release:"3.0", prefix:"atftpd", reference:"0.6.0woody1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");