Format string vulnerability in the client in Tftpd32 before 4.50 allows remote servers to cause a denial of service (crash) or possibly execute arbitrary code via format string specifiers in the Remote File field.
Weakness
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tftpd32 | Philippe_jounin | * | 4.00 (including) |
| Tftpd32 | Philippe_jounin | 1.0 (including) | 1.0 (including) |
| Tftpd32 | Philippe_jounin | 1.1 (including) | 1.1 (including) |
| Tftpd32 | Philippe_jounin | 2.0 (including) | 2.0 (including) |
| Tftpd32 | Philippe_jounin | 2.1 (including) | 2.1 (including) |
| Tftpd32 | Philippe_jounin | 2.2 (including) | 2.2 (including) |
| Tftpd32 | Philippe_jounin | 2.11 (including) | 2.11 (including) |
| Tftpd32 | Philippe_jounin | 2.21 (including) | 2.21 (including) |
| Tftpd32 | Philippe_jounin | 2.51 (including) | 2.51 (including) |
| Tftpd32 | Philippe_jounin | 2.52 (including) | 2.52 (including) |
| Tftpd32 | Philippe_jounin | 2.53 (including) | 2.53 (including) |
| Tftpd32 | Philippe_jounin | 2.54 (including) | 2.54 (including) |
| Tftpd32 | Philippe_jounin | 2.60 (including) | 2.60 (including) |
| Tftpd32 | Philippe_jounin | 2.62 (including) | 2.62 (including) |
| Tftpd32 | Philippe_jounin | 2.70 (including) | 2.70 (including) |
| Tftpd32 | Philippe_jounin | 2.71 (including) | 2.71 (including) |
| Tftpd32 | Philippe_jounin | 2.72 (including) | 2.72 (including) |
| Tftpd32 | Philippe_jounin | 2.73 (including) | 2.73 (including) |
| Tftpd32 | Philippe_jounin | 2.74 (including) | 2.74 (including) |
| Tftpd32 | Philippe_jounin | 2.80 (including) | 2.80 (including) |
| Tftpd32 | Philippe_jounin | 2.81 (including) | 2.81 (including) |
| Tftpd32 | Philippe_jounin | 2.82 (including) | 2.82 (including) |
| Tftpd32 | Philippe_jounin | 2.83 (including) | 2.83 (including) |
| Tftpd32 | Philippe_jounin | 2.84 (including) | 2.84 (including) |
| Tftpd32 | Philippe_jounin | 3.00 (including) | 3.00 (including) |
| Tftpd32 | Philippe_jounin | 3.01 (including) | 3.01 (including) |
| Tftpd32 | Philippe_jounin | 3.02 (including) | 3.02 (including) |
| Tftpd32 | Philippe_jounin | 3.03 (including) | 3.03 (including) |
| Tftpd32 | Philippe_jounin | 3.10-beta (including) | 3.10-beta (including) |
| Tftpd32 | Philippe_jounin | 3.20 (including) | 3.20 (including) |
| Tftpd32 | Philippe_jounin | 3.22 (including) | 3.22 (including) |
| Tftpd32 | Philippe_jounin | 3.23 (including) | 3.23 (including) |
| Tftpd32 | Philippe_jounin | 3.26 (including) | 3.26 (including) |
| Tftpd32 | Philippe_jounin | 3.27 (including) | 3.27 (including) |
| Tftpd32 | Philippe_jounin | 3.28 (including) | 3.28 (including) |
| Tftpd32 | Philippe_jounin | 3.29 (including) | 3.29 (including) |
| Tftpd32 | Philippe_jounin | 3.31 (including) | 3.31 (including) |
| Tftpd32 | Philippe_jounin | 3.33 (including) | 3.33 (including) |
| Tftpd32 | Philippe_jounin | 3.34 (including) | 3.34 (including) |
| Tftpd32 | Philippe_jounin | 3.35 (including) | 3.35 (including) |
| Tftpd32 | Philippe_jounin | 3.50 (including) | 3.50 (including) |
| Tftpd32 | Philippe_jounin | 3.51 (including) | 3.51 (including) |
Potential Mitigations
Related Attack Patterns
References
- http://osvdb.org/100511
- http://packetstormsecurity.com/files/124275/Tftpd32-Client-Side-Format-String.html
- http://seclists.org/fulldisclosure/2013/Dec/15
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89455
- http://osvdb.org/100511
- http://packetstormsecurity.com/files/124275/Tftpd32-Client-Side-Format-String.html
- http://seclists.org/fulldisclosure/2013/Dec/15
- https://exchange.xforce.ibmcloud.com/vulnerabilities/89455