############################################################################## Hillstone Software HS TFTP Server Denial Of Service Vulnerability SecPod Technologies (www.secpod.com) Author: Prabhu S Angadi ############################################################################## SecPod ID: 1031 21/09/2011 Issue Discovered 04/10/2011 Vendor Notified No Response from Vendor 02/12/2011 Advisory Released Class: Denial Of Service Severity: Medium Overview: --------- Hillstone Software HS TFTP Server version 1.3.2 is prone to a denial of service vulnerability. Technical Description: ---------------------- The vulnerability is caused due to improper validation of WRITE/READ Request Parameter containing long file name, which allows remote attackers to crash the service. Impact: -------- Successful exploitation could allow an attacker to cause denial of service condition. Affected Software: ------------------ Hillstone Software HS TFTP 1.3.2 Tested on: ----------- Hillstone Software HS TFTP 1.3.2 on Windows XP SP3 & Win 7. Older versions might be affected. References: ----------- http://secpod.org/blog/?p=419 http://www.hillstone-software.com/index.htm http://www.hillstone-software.com/hs_tftp_details.htm http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py Proof of Concept: ---------------- http://secpod.org/exploits/SecPod_Exploit_Hillstone_Software_HS_TFTP_Server_DoS.py Solution: ---------- Not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = LOW AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT = PARTIAL EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Risk factor = Medium