CVE-2007-1435
published 2007-03-13CVE-2007-1435: Buffer overflow in D-Link TFTP Server 1.0 allows remote attackers to cause a denial of service (crash) via a long (1) GET or (2) PUT request, which triggers…
PriorityP351critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
42.82%
98.5th percentile
Buffer overflow in D-Link TFTP Server 1.0 allows remote attackers to cause a denial of service (crash) via a long (1) GET or (2) PUT request, which triggers memory corruption. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d-link | tftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x01 followed by 581 bytes of alpha-upper, jmp_short(42), 38 bytes of alpha-upper, ret address, payload
- →Alert on UDP port 69 traffic where the TFTP request packet (opcode 0x0001 RRQ or 0x0002 WRQ) contains a filename field exceeding ~581 bytes — indicative of the overflow trigger. ↗
- →Detect TFTP packets beginning with opcode bytes \x00\x01 (RRQ) followed by a filename payload of 581+ bytes of contiguous uppercase alpha characters — matches the Metasploit exploit structure exactly. ↗
- →Look for the return address values 0x77e1ccf7 or 0x77f8361b (jmp ebx gadgets) embedded within oversized TFTP filename fields as indicators of active exploitation attempts against Windows 2000 targets. ↗
- →Flag TFTP GET or PUT requests where the filename/mode field total length exceeds normal bounds (e.g., >100 bytes), as the vulnerability is triggered by an overly long filename in either RRQ or WRQ opcodes. ↗
- ·The exploit requires bind payloads (not reverse) for best results due to the UDP-based transport and NX constraints; reverse connection payloads are explicitly excluded in the Metasploit module compatibility settings. ↗
- ·The null byte (\x00) is a bad character for the payload, meaning shellcode must be null-free; detection signatures should account for the absence of null bytes within the oversized filename region. ↗
- ·The exploit targets only Windows 2000 SP3 and SP4 English; the hardcoded return addresses are OS/SP-specific and will not work reliably on other platforms, limiting the scope of exploitation in the wild. ↗
- ·The provenance of the original vulnerability details is unknown per NVD; details are derived solely from third-party sources, so behavioral indicators from the Metasploit module are the primary reliable detection basis. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
D-Link TFTP 1.0 - 'Filename' Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-1435 D-Link TFTP 1.0 - 'Filename' Remote Buffer Overflow (Metasploit)
D-Link TFTP 1.0 - 'Filename' Remote Buffer Overflow (Metasploit)
---
##
# $Id: dlink_long_filename.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'D-Link TFTP 1.0 Long Filename Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in D-Link TFTP 1.0.
By sending a request for an overly long file name, an attacker
could overflow a buffer and execute arbitrary code. For best results,
use bind payloads with nonx (No NX).
},
'Author' =>
[
'LSO ', # Exploit module
'patrick', # Ref
Exploit-DB
D-Link TFTP 1.0 - Transporting Mode Remote Buffer Overflow
exploitdb·2007-03-12
CVE-2007-1435 D-Link TFTP 1.0 - Transporting Mode Remote Buffer Overflow
D-Link TFTP 1.0 - Transporting Mode Remote Buffer Overflow
---
source: https://www.securityfocus.com/bid/22923/info
D-Link TFTP is prone to a buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before storing it in a finite-sized buffer.
A remote attacker can exploit this issue to cause the application to crash, denying further service to legitimate users. Given the nature of this issue, the attacker may presumably be able to execute code.
D-Link TFTP 1.0 is vulnerable; other versions may also be affected.
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use
Metasploit
D-Link TFTP 1.0 Long Filename Buffer Overflow
metasploit
D-Link TFTP 1.0 Long Filename Buffer Overflow
D-Link TFTP 1.0 Long Filename Buffer Overflow
This module exploits a stack buffer overflow in D-Link TFTP 1.0. By sending a request for an overly long file name, an attacker could overflow a buffer and execute arbitrary code. For best results, use bind payloads with nonx (No NX).
2007-03-13
Published