CVE-2008-2161
published 2008-05-12CVE-2008-2161: Buffer overflow in TFTP Server SP 1.4 and 1.5 on Windows, and possibly other versions, allows remote attackers to execute arbitrary code via a long TFTP error…
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.28%
99.2th percentile
Buffer overflow in TFTP Server SP 1.4 and 1.5 on Windows, and possibly other versions, allows remote attackers to execute arbitrary code via a long TFTP error packet. NOTE: some of these details are obtained from third party information.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open_tftp_server_project | open_tftp_server | <= 1.66 | — |
| tftp | tftp_server_sp | — | — |
| tftp | tftp_server_sp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x05
bytes↗
\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x15\x24
- →Detect oversized TFTP Error packets (opcode 0x0005) sent to UDP/69. Legitimate TFTP error messages are short; payloads exceeding ~19,900 bytes are characteristic of this exploit. ↗
- →Alert on TFTP Error packets (opcode \x00\x05) followed by large NOP sleds (~19907–19955 bytes of \x90) targeting UDP port 69. ↗
- →Successful exploitation results in a bind shell on TCP port 4444 (windows/shell_bind_tcp, EXITFUNC=seh). Monitor for unexpected listening sockets on port 4444 on TFTP server hosts. ↗
- →The Metasploit module exploits the same class of vulnerability via a malformed TFTP error opcode triggering a sprintf() overflow, allowing RCE as SYSTEM. Correlate TFTP error opcode traffic with process privilege escalation events. ↗
- ·The exploit offset to EIP differs depending on whether OpenTFTP SP 1.4 is running as a 'Service' (~20,459 bytes) or 'Stand Alone' program (~20,411 bytes). Detection rules should account for both payload sizes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8x28-7c5h-458j: Heap-based overflow vulnerability in TFTP Server SP 1
ghsa_unreviewed·2022-05-24·CVSS 10.0
CVE-2018-10387 [CRITICAL] GHSA-8x28-7c5h-458j: Heap-based overflow vulnerability in TFTP Server SP 1
Heap-based overflow vulnerability in TFTP Server SP 1.66 and earlier allows remote attackers to perform a denial of service or possibly execute arbitrary code via a long TFTP error packet, a different vulnerability than CVE-2008-2161.
GHSA
GHSA-fxvv-792x-8mjp: Buffer overflow in TFTP Server SP 1
ghsa_unreviewed·2022-05-01
CVE-2008-2161 [HIGH] CWE-119 GHSA-fxvv-792x-8mjp: Buffer overflow in TFTP Server SP 1
Buffer overflow in TFTP Server SP 1.4 and 1.5 on Windows, and possibly other versions, allows remote attackers to execute arbitrary code via a long TFTP error packet. NOTE: some of these details are obtained from third party information.
No detection rules found.
Exploit-DB
TFTP Server for Windows 1.4 - ST Remote BSS Overflow
exploitdb·2008-05-08
CVE-2008-2161 TFTP Server for Windows 1.4 - ST Remote BSS Overflow
TFTP Server for Windows 1.4 - ST Remote BSS Overflow
---
#!/usr/bin/perl
# TFTPServer SP v1.4 for Windows remote .bss overflow exploit
# The Service or the RunStandAlone version.
# URL: http://sourceforge.net/projects/tftp-server/
#
# Author: tix or tixxDZ
# Date: 07/05/2008
#
# Tested on Windows XP SP2 French not patched
#
# TFTPServer SP v1.4 is vulnerable to a very long TFTP Error Packet
# Other versions may also be vulnerable.
#
# TFTPServer respect the RFC 1350 for Error packets, lot of other
# TFTP Servers don't respect it.
# TFTP Error Packet: "\x00\x05" . ErrorMsg . "\x00"
#
# BUFFER is at 0041B3AB in the .bss section.
# This exploit will overwrite all the .bss section and some portion of the .idata section
# to patch functions addresses in the IAT.
#
# For the TFTPServer Servic
Metasploit
OpenTFTP SP 1.4 Error Packet Overflow
metasploit
OpenTFTP SP 1.4 Error Packet Overflow
OpenTFTP SP 1.4 Error Packet Overflow
This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable condition triggers when the TFTP opcode is configured as an error packet, the TFTP service will then format the message using a sprintf() function, which causes an overflow, therefore allowing remote code execution under the context of SYSTEM. The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone', or 'Service'). By default the target is set to 'Service' because that's the default configuration during OpenTFTP Server SP 1.4's installation.
No writeups or analysis indexed.
http://secunia.com/advisories/30147http://www.securityfocus.com/bid/29111http://www.vupen.com/english/advisories/2008/1468/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42298https://www.exploit-db.com/exploits/5563http://secunia.com/advisories/30147http://www.securityfocus.com/bid/29111http://www.vupen.com/english/advisories/2008/1468/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42298https://www.exploit-db.com/exploits/5563
2008-05-12
Published