Wednesday, August 22, 2012

EXPLOIT-DEV : Quick TFTP Server Pro 2.1 Case Study

Quick TFTP Server Pro is a multi-threaded tftp server and telnet server for Microsoft Windows . It designed to allow network administrators and users to save and write files from various network equipment , and allow users to login to the server to execute various commands, such as listing file and directory information, reverse ping network equipment.

The current version 2.1 is vulnerable to Buffer Overflow which is announced on March 26, 2008 and Directory Traversal Vulnerability which is announced on November 5, 2011.

I only focus on the Buffer Overflow vulnerability. This piece of software does not fix the problem since 2008 after the vulnerability is discovered. I wonder to know the reason why.

Then I make up my mind to investigate. After the enquiry, it is confirmed that this piece of software is only exploitable on Windows XP SP2 and below. Windows XP SP3 or up cannot be exploited even it is vulnerability. Why?

I find out that this piece of software comes with no dll file and it is a standalone executable file. After the Windows XP SP3, Microsoft implemented Data Execution Prevention (DEP) and it enforces non-executable pages on the stack that prevent the execution of arbitrary shellcode.

In addition, this software has no other modules file (dll) that is not compiled with SafeSEH and all the system files are SafeSEHed. Although you can find a pointer at unicode.nls but because of null byte there is no chance to make the shellcode to work.

At least, I find out that so far. If anyone find out any method to exploit this software on Windows XP SP3 or up, please let me know. By the way, the ret2libc and ROP methods I have not been tried yet.

Therefore, it is only affect Windows XP SP2 and below. Since Windows XP SP2 is not supported by Microsoft any more, I think the developer of the software think that it is not necessary to fix the vulnerability.

That's all! See you.