Open TFTP Server MultiThreaded Heap Buffer Overflow Vulnerability Allowing Denial-of-Service

A heap buffer overflow vulnerability has been identified in Open TFTP Server MultiThreaded version 1.7. The issue arises in the processRequest function, where the server improperly handles large block size negotiations. This vulnerability allows attackers to overwrite critical stack data, leading to memory corruption and causing a denial-of-service condition by crashing the application.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, allowing for memory corruption and control over the application's execution flow. This manipulation can cause the application to crash, creating a denial-of-service condition.

Reproduction

To reproduce this vulnerability, the server must be configured to allow file write operations. This can be done by enabling the 'write' option in the 'OpenTFTPServer.ini' file or by leaving it at the default (commented) setting, which also enables writing. The 'blksize' option should be set to allow large values, as the default size of 65464 bytes is insufficient. Once the server is properly configured, a client can send a Write Request (WRQ) packet with a negotiated block size of 60,000 bytes. After the server allocates a heap buffer based on this size, the client can send a malformed ERROR packet that exploits the buffer overflow by overwriting stack pointers and registers. This can be automated with a proof-of-concept script that handles the exploitation process.