############################################################################## CiscoKits CCNA TFTP Server Denial Of Service Vulnerability SecPod Technologies (www.secpod.com) Author: Prabhu S Angadi ############################################################################### SecPod ID: 1023 21/07/2011 Issue Discovered 03/08/2011 Vendor Notified Vendor Replied to Disclose 04/08/2011 Advisory Released Class: Denial Of Service Severity: High Overview: --------- CiscoKits CCNA TFTP Server is prone to a denial of service vulnerability. Technical Description: ---------------------- The vulnerability is caused due to improper validation of WRITE Request Parameter containing long file name, which allows remote attackers to crash the service and cause denial of service condition. Impact: -------- Successful exploitation could allow an attacker to cause denial of service condition and may lead to further attacks. Affected Software: ------------------ CiscoKits CCNA TFTP Server 1.0.0.0 Tested on: ----------- CiscoKits CCNA TFTP Server 1.0.0.0 on Windows XP SP2. References: ----------- http://secpod.org/blog/?p=271 http://www.certificationkits.com http://secpod.org/SECPOD_CiscoKits_CCNA_TFTP_DoS_POC.py http://secpod.org/advisories/SECPOD_Ciscokits_CCNA_TFTP_DoS.txt Proof of Concept: ---------------- Send write request with long filename. Solution: ---------- Not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = LOW AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT = COMPLETE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 7.8 (AV:N/AC:L/Au:NR/C:N/I:N/A:C) Risk factor = High Credits: -------- Prabhu S Angadi of SecPod Technologies has been credited with the discovery of this vulnerability.