3CTftpSvc Long Transport Mode Remote Overflow - Nessus

Critical   Plugin ID: 23735

This page contains detailed information about the 3CTftpSvc Long Transport Mode Remote Overflow Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 23735
Name: 3CTftpSvc Long Transport Mode Remote Overflow
Filename: 3ctftpsvc_mode_overflow.nasl
Vulnerability Published: 2006-11-26
This Plugin Published: 2006-11-28
Last Modification Time: 2019-03-06
Plugin Version: 1.24
Plugin Type: remote
Plugin Family: Windows
Dependencies: tftpd_detect.nasl
Required KB Items [?]: Services/udp/tftp, Settings/ParanoidReport

Vulnerability Information

Severity: Critical
Vulnerability Published: 2006-11-26
Patch Published: N/A
CVE [?]: CVE-2006-6183
CPE [?]: cpe:/a:3com:3ctftpsvc

Synopsis

The remote TFTP server is affected by a buffer overflow vulnerability.

Description

The remote host appears to be running 3CTftpSvc, a TFTPD server for Windows.

The version of Tftpd32 installed on the remote host appears to be affected by a buffer overflow vulnerability involving a long transport mode when getting or putting files. By leveraging this flaw, a remote attacker may be able to crash the remote service or execute code on the affected host subject to the privileges under which the service operates, by default LOCAL SYSTEM.

Solution

Unknown at this time.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the 3CTftpSvc Long Transport Mode Remote Overflow vulnerability:

  1. Metasploit: exploit/windows/tftp/threectftpsvc_long_mode
    [3CTftpSvc TFTP Long Mode Buffer Overflow]
  2. Exploit-DB: exploits/windows/remote/3170.pm
    [EDB-3170: 3Com TFTP Service (3CTftpSvc) 2.0.1 - Remote Buffer Overflow (Metasploit)]
  3. Exploit-DB: exploits/windows/remote/16347.rb
    [EDB-16347: 3Com TFTP Service (3CTftpSvc) - 'Mode' Remote Buffer Overflow (Metasploit)]
  4. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:8.3 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.3 (High)

Go back to menu.

Plugin Source

This is the 3ctftpsvc_mode_overflow.nasl nessus plugin source code. This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. 

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(23735);
  script_version("1.24");
  script_cvs_date("Date: 2019/03/06 18:38:55");

  script_cve_id("CVE-2006-6183");
  script_bugtraq_id(21301, 21322);

  script_name(english:"3CTftpSvc Long Transport Mode Remote Overflow");
  script_summary(english:"Checks for a buffer overflow vulnerability in 3Com 3CTftpSvc");

  script_set_attribute(attribute:"synopsis", value:"The remote TFTP server is affected by a buffer overflow vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host appears to be running 3CTftpSvc, a TFTPD server for
Windows.

The version of Tftpd32 installed on the remote host appears to be
affected by a buffer overflow vulnerability involving a long transport
mode when getting or putting files. By leveraging this flaw, a remote
attacker may be able to crash the remote service or execute code on
the affected host subject to the privileges under which the service
operates, by default LOCAL SYSTEM.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/452754/30/0/threaded");
  script_set_attribute(attribute:"solution", value:"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'3CTftpSvc TFTP Long Mode Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/28");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:3com:3ctftpsvc");
  script_end_attributes();

  script_category(ACT_DENIAL);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");

  script_dependencies("tftpd_detect.nasl");
  script_require_keys("Services/udp/tftp", "Settings/ParanoidReport");
  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");


if (report_paranoia < 2) audit(AUDIT_PARANOID);


port = get_kb_item("Services/udp/tftp");
if (!port) port = 69;


function tftp_get(port, file, mode) {
  local_var data, filter, i, ip, req, res, sport, udp;

  if (isnull(port)) port = 69;
  if (isnull(mode)) mode = "netascii";
  if (isnull(file)) return NULL;

  req = raw_string(
    0x00, 0x01,                        # Get
    file, 0x00,                        # file
    mode, 0x00                         # as per specified mode
  );

  ip = forge_ip_packet(
    ip_hl:5,
    ip_v:4,
    ip_tos:0,
    ip_len:20,
    ip_id:rand(),
    ip_off:0,
    ip_ttl:64,
    ip_p:IPPROTO_UDP,
    ip_src:compat::this_host()
  );
  sport = rand() % 64512 + 1024;
  udp = forge_udp_packet(
    ip:ip,
    uh_sport:sport,
    uh_dport:port,
    uh_ulen:8 + strlen(req),
    data:req
  );

  filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip() + ' and udp[8:1]=0x00';
  res = send_packet(
    udp,
    pcap_active:TRUE,
    pcap_filter:filter,
    pcap_timeout:1
  );

  # If there's a result, return the data.
  if (res) {
    return get_udp_element(udp:res, element:"data");
  }
}


# If the server is up...
file = string(SCRIPT_NAME, "-", unixtime());
res = tftp_get(port:port, file:file);
if (!isnull(res)) {
  # Send the exploit.
  res = tftp_get(port:port, file:"A", mode:string("netascii", crap(469)));

  # Test the server again.
  res = tftp_get(port:port, file:file);

  # There's a problem if we didn't get anything back.
  if (isnull(res)) security_hole(port:port, protocol:"udp");
}

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/3ctftpsvc_mode_overflow.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\3ctftpsvc_mode_overflow.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/3ctftpsvc_mode_overflow.nasl

Go back to menu.

How to Run

Here is how to run the 3CTftpSvc Long Transport Mode Remote Overflow as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select 3CTftpSvc Long Transport Mode Remote Overflow plugin ID 23735.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl 3ctftpsvc_mode_overflow.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a 3ctftpsvc_mode_overflow.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - 3ctftpsvc_mode_overflow.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state 3ctftpsvc_mode_overflow.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 19193 - MailEnable IMAP STATUS Command Remote Overflow
  • 19387 - CA BrightStor ARCserve Backup Agent for Windows Long String Overflow
  • 19553 - DameWare Mini Remote Control Pre-Authentication Remote Overflow
  • 19554 - DameWare Mini Remote Control Pre-Authentication Username Remote Overflow
  • 19783 - MailEnable IMAP Server W3C Logging Overflow
  • 20826 - Winamp < 5.13 Playlist Handling Multiple Overflows
  • 21141 - Rhapsody SWF File Handling Buffer Overflow
  • 21674 - WinGate POST Request Buffer Overflow
  • 21738 - Winamp < 5.24 in_midi.dll MIDI File Processing Overflow
  • 22127 - eIQnetworks Enterprise Security Analyzer Syslog Server Multiple Remote Overflows
  • 22129 - eIQnetworks Enterprise Security Analyzer EnterpriseSecurityAnalyzer.exe LICMGR_ADDLICENSE Command Remote Overflow
  • 22196 - eIQnetworks Enterprise Security Analyzer Monitoring.exe Multiple Command Overflow
  • 22253 - IBM eGatherer ActiveX RunEgatherer Function Overflow
  • 22510 - CA BrightStor ARCserve Backup for Windows Multiple Remote Buffer Overflows (QO81201)
  • 22511 - CA BrightStor ARCserve Backup DBASVR for Windows Multiple Remote Buffer Overflows
  • 23637 - Broadcom Wireless Driver (BCMWL5.SYS) Probe Response SSID Overflow
  • 23699 - Novell NetWare Client Print Provider (nwspool.dll) Multiple Function Overflow
  • 23783 - MailEnable IMAP Server Multiple Buffer Overflow Vulnerabilities (ME-10025)
  • 24013 - CA BrightStor ARCserve Backup Tape Engine Multiple Remote Overflows (QO84983)
  • 24236 - Symantec AntiVirus Management Interface Remote Overflow (SYM06-010)
  • 24268 - QuickTime RTSP URL Handler Buffer Overflow (Windows)
  • 24277 - WinProxy < 6.1r1c HTTP CONNECT Request Remote Overflow
  • 24683 - Trend Micro OfficeScan OfficeScanSetupINI.dll Remote Buffer Overflow
  • 24909 - TestDirector (TD) for Mercury Quality Center SPIDERLib.Loader ActiveX Control (Spider90.ocx) ProgColor Property Overflow
  • 25085 - LANDesk Management Suite Alert Service (aolnsrvr.exe) Remote Overflow
  • 25171 - Trend Micro ServerProtect AgRpcCln.dll Buffer Overflow
  • 25172 - Trend Micro ServerProtect EarthAgent RPC Request Remote Buffer Overflow
  • 25344 - ProgramChecker sasatl.dll ActiveX Control Multiple Overflows
  • 25442 - FlipViewer ActiveX Control < 4.1 Buffer Overflow Vulnerabilities
  • 25459 - Yahoo! Messenger Webcam ActiveX Buffer Overflows
  • 25655 - HP Instant Support Driver Check HPSDDX Class (SDD) ActiveX (sdd.dll) queryHub Function Overflow
  • 25693 - Sun Java Web Start JNLP File Handling Overflow (102996)
  • 25925 - Trend Micro ServerProtect Multiple Remote Overflows
  • 25951 - Oracle JInitiator beans.ocx ActiveX Multiple Buffer Overflows

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file 3ctftpsvc_mode_overflow.nasl version 1.24. For more plugins, visit the Nessus Plugin Library.

Go back to menu.