Rule:

--
Sid:
1941

--
Summary:
This event is generated by an attempt to exploit a buffer overflow in TFTP file handling routines.

--
Impact:
Implementation Dependent.  Several implementations of TFTP are vulnerable to a buffer overflow when processing long TFTP get requests.  This could allow arbitrary code execution or result in a Denial of Service condition.

--
Detailed Information:
Insufficient bounds checking on requested filenames results in a simple to exploit buffer overflow condition.  This condition can be exploited by making a request for an overly long file name.

--
Affected Systems:
Cisco IOS 11.1
Cisco IOS 11.2
Cisco IOS 11.3
ATFTP 0.6.0 and 0.6.1.1

--
Attack Scenarios:
Attackers with access to TFTP can exploit this condition remotely by requesting an overly long file name.

--
Ease of Attack
Depending on the configuration of the TFTP server this vulnerability can be exploited with a simple script.  Currently several exploits exist in the wild.

--
False Positives:
Requests for legitimate file names of 100 or more bytes will trigger this rule. 

--
False Negatives
Currently this rule checks for the existance of a file name of 100 or more bytes.  Vulnerable TFTP implemenations that experience faults with file names less than 100 bytes will not trigger this rule.

--
Corrective Action
Cisco:
For Cisco IOS 11.1, 11.2, 11.3 it is recommended that the TFTP service be disabled.  Cisco does not plan on releasing a patch for this problem.

It may also be possible to mitigate this problem by creating an alias for all filenames being served via the TFTP service.  

Example:
tftp-server flash rsp-jv-mz.111-24a alias CiscoIOS 

--
Contributors
Original rule writer unknown
Sourcefire Vulnerability Research Team
Matthew Watchinski matt.watchinski@sourcefire.com

--
Additional References: 

--
