cbcvebase.
CVE-2008-2161
published 2008-05-12

CVE-2008-2161: Buffer overflow in TFTP Server SP 1.4 and 1.5 on Windows, and possibly other versions, allows remote attackers to execute arbitrary code via a long TFTP error…

PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.28%
99.2th percentile
Buffer overflow in TFTP Server SP 1.4 and 1.5 on Windows, and possibly other versions, allows remote attackers to execute arbitrary code via a long TFTP error packet. NOTE: some of these details are obtained from third party information.

Affected

3 ranges
VendorProductVersion rangeFixed in
open_tftp_server_projectopen_tftp_server<= 1.66
tftptftp_server_sp
tftptftp_server_sp

Detection & IOCsextracted from sources · hover to see the quote

port69/udp
command\x00\x05 + 19907 NOPs + shellcode + \x01\x01\x42\x00
command\x00\x05 + 19955 NOPs + shellcode + \x01\x01\x42\x00
port4444
bytes
\x00\x05
bytes
\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x15\x24
  • Detect oversized TFTP Error packets (opcode 0x0005) sent to UDP/69. Legitimate TFTP error messages are short; payloads exceeding ~19,900 bytes are characteristic of this exploit.
  • Alert on TFTP Error packets (opcode \x00\x05) followed by large NOP sleds (~19907–19955 bytes of \x90) targeting UDP port 69.
  • Successful exploitation results in a bind shell on TCP port 4444 (windows/shell_bind_tcp, EXITFUNC=seh). Monitor for unexpected listening sockets on port 4444 on TFTP server hosts.
  • The Metasploit module exploits the same class of vulnerability via a malformed TFTP error opcode triggering a sprintf() overflow, allowing RCE as SYSTEM. Correlate TFTP error opcode traffic with process privilege escalation events.
  • ·The exploit offset to EIP differs depending on whether OpenTFTP SP 1.4 is running as a 'Service' (~20,459 bytes) or 'Stand Alone' program (~20,411 bytes). Detection rules should account for both payload sizes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.