cbcvebase.
CVE-2007-1435
published 2007-03-13

CVE-2007-1435: Buffer overflow in D-Link TFTP Server 1.0 allows remote attackers to cause a denial of service (crash) via a long (1) GET or (2) PUT request, which triggers…

PriorityP351critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
42.82%
98.5th percentile
Buffer overflow in D-Link TFTP Server 1.0 allows remote attackers to cause a denial of service (crash) via a long (1) GET or (2) PUT request, which triggers memory corruption. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Affected

1 ranges
VendorProductVersion rangeFixed in
d-linktftp_server

Detection & IOCsextracted from sources · hover to see the quote

port69/UDP
other0x77e1ccf7 (jmp ebx, Windows 2000 SP4 English)
other0x77f8361b (jmp ebx, Windows 2000 SP3 English)
versionD-Link TFTP Server 1.0
bytes
\x00\x01 followed by 581 bytes of alpha-upper, jmp_short(42), 38 bytes of alpha-upper, ret address, payload
  • Alert on UDP port 69 traffic where the TFTP request packet (opcode 0x0001 RRQ or 0x0002 WRQ) contains a filename field exceeding ~581 bytes — indicative of the overflow trigger.
  • Detect TFTP packets beginning with opcode bytes \x00\x01 (RRQ) followed by a filename payload of 581+ bytes of contiguous uppercase alpha characters — matches the Metasploit exploit structure exactly.
  • Look for the return address values 0x77e1ccf7 or 0x77f8361b (jmp ebx gadgets) embedded within oversized TFTP filename fields as indicators of active exploitation attempts against Windows 2000 targets.
  • Flag TFTP GET or PUT requests where the filename/mode field total length exceeds normal bounds (e.g., >100 bytes), as the vulnerability is triggered by an overly long filename in either RRQ or WRQ opcodes.
  • ·The exploit requires bind payloads (not reverse) for best results due to the UDP-based transport and NX constraints; reverse connection payloads are explicitly excluded in the Metasploit module compatibility settings.
  • ·The null byte (\x00) is a bad character for the payload, meaning shellcode must be null-free; detection signatures should account for the absence of null bytes within the oversized filename region.
  • ·The exploit targets only Windows 2000 SP3 and SP4 English; the hardcoded return addresses are OS/SP-specific and will not work reliably on other platforms, limiting the scope of exploitation in the wild.
  • ·The provenance of the original vulnerability details is unknown per NVD; details are derived solely from third-party sources, so behavioral indicators from the Metasploit module are the primary reliable detection basis.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.