Network detection rules for old TFTP RRQ Buffer Overflow vulnerability

Exploit-DB posted a new exploit code for old buffer overflow vulnerability in read/write request packet processing code of TFTP Server version 1.4. I thought it will be a nice rule writing practice to develop IDS detection rule for it.

Below Snort rule will be help to detect the exploit attempt for this vulnerability. Snort provides a very useful keyword isdataata to detect if the data is present at a particular byte location. This is specifically useful while detecting buffer overflow.

Exploit-DB has couple of exploits available targeting both TFTP read request as well as write request buffer overflow.

Below two rules will detect exploit attempt for both of the vulnerabilities.

1
2
3
alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP WriteFile BO exploit attempt";flow:established; content:"|00 02|";offset:0;within:2;isdataat:800,relative;class-type:misc_attack; sid:1000002;rev:1;)

alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP ReadFile BO exploit attempt"; flow:established; content:"|00 01|";offset:0;within:2;isdataat:800,relative; class-type:misc_attack; sid:1000003;rev:1;)

Try not to use external TFTP servers unless its must. Stay safe!!!

Reference:

Rating 3.00 out of 5

Leave a Reply

This entry was posted on Saturday, January 14th, 2012 at 5:24 am and is filed under Information Security, Snort Signature. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes