Rule:

--
Sid:
1941

--
Summary:
This event is generated by an attempt to exploit a buffer overflow in TFTP file handling routines.

--
Impact:
Implementation Dependent.  Several implementations of TFTP are vulnerable to a
buffer overflow when processing long TFTP get requests.  This could allow
arbitrary code execution or result in a Denial of Service condition.

--
Detailed Information:
Insufficient bounds checking on requested filenames results in a simple to
exploit buffer overflow condition.  This condition can be exploited by making
a request for an overly long file name.

Affected Systems:
	Cisco IOS 11.1
	Cisco IOS 11.2
	Cisco IOS 11.3
	ATFTP 0.6.0 and 0.6.1.1

--
Attack Scenarios:
Attackers with access to TFTP can exploit this condition remotely by
requesting an overly long file name.

--
Ease of Attack
Depending on the configuration of the TFTP server this vulnerability can be exploited with a simple script.  Currently several exploits exist in the wild.

--
False Positives:
Requests for legitimate file names of 100 or more bytes will trigger this rule. 

--
False Negatives
Currently this rule checks for the existance of a file name of 100 or more bytes.  Vulnerable TFTP implemenations that experience faults with file names less than 100 bytes will not trigger this rule.

--
Corrective Action
Cisco:
For Cisco IOS 11.1, 11.2, 11.3 it is recommended that the TFTP service be disabled.  Cisco does not plan on releasing a patch for this problem.

It may also be possible to mitigate this problem by creating an alias for all filenames being served via the TFTP service.  

Example:
tftp-server flash rsp-jv-mz.111-24a alias CiscoIOS 

AFTP:
    Debian Upgrade atftp_0.6.0woody1_alpha.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_alpha.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_alpha.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_alpha.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftp_0.6.0woody1_arm.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_arm.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_arm.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_arm.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftp_0.6.0woody1_i386.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_i386.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_i386.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_i386.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftp_0.6.0woody1_ia64.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_ia64.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_ia64.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_ia64.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftp_0.6.0woody1_hppa.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_hppa.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_hppa.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_hppa.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftp_0.6.0woody1_m68k.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_m68k.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_m68k.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_m68k.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftp_0.6.0woody1_mips.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_mips.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_mips.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_mips.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftp_0.6.0woody1_mipsel.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_mipsel.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_mipsel.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_mipsel.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftp_0.6.0woody1_powerpc.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_powerpc.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_powerpc.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_powerpc.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftp_0.6.0woody1_s390.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_s390.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_s390.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_s390.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftp_0.6.0woody1_sparc.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftp_0.6.0woody1_sparc.deb

    Debian GNU/Linux 3.0 alias woody.

    Debian Upgrade atftpd_0.6.0woody1_sparc.deb
    http://security.debian.org/pool/updates/main/a/atftp/atftpd_0.6.0woody1_sparc.deb

    Debian GNU/Linux 3.0 alias woody.

--
Contributors
Original rule writer unknown
Sourcefire Research Team
Matthew Watchinski matt.watchinski@sourcefire.com

--
Reference: 

Bugtraq:
http://www.securityfocus.com/bid/5328

CVE:
CAN-2002-0813



--
