Critical security advisory #006 tftpd32 Format string

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Critical security advisory #006 tftpd32 Format string
From: admin@xxxxxxxxxxx
Date: 19 Jan 2006 20:58:38 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Critical security advisory #006
Tftpd32 2.81 Format String + DoS PoC
Critical Security - 22:03 2006.01.19
Critical Security research: http://www.critical.lt
Product site: http://tftpd32.jounin.net/
Credits : Critical Security Team (www.critical.lt)
Original Advisory: http://www.critical.lt/?vulnerabilities/200
Due to incorrect use of format strings there is a possibility of remote code 
execution. You can trigger this vulnerability
by sending SEND or GET request with a specially formated string. Vulnerable 
code:

LEA ECX,DWORD PTR SS:[ESP+430]
LEA EAX,DWORD PTR SS:[ESP+1C]
PUSH ECX                                 ; /Arglist
PUSH EDX                                 ; |Format
PUSH EAX                                 ; |s = 00E6F4E8
CALL DWORD PTR DS:[<&USER32.wvsprintfA>] ; \wvsprintfA

Proof of concept exploit:
http://www.critical.lt/research/tftpd32_281_dos.txt

Prev by Date: Re: Directory traversal in phpXplorer
Next by Date: BlogPHP config.php SQL injection login bypassed
Previous by thread: Re: Tumbleweed EMF 6.x Processing Issues
Next by thread: BlogPHP config.php SQL injection login bypassed
Index(es):
- Date
- Thread