CVE-2004-1485

Vulnerability

A buffer overflow exists in the TFTP client included with inetutils 1.4.2. The vulnerability is triggered when the gethostbyname function processes a large DNS response. Multiple code paths in main.c use strcpy and bcopy without proper bounds checking on the destination buffers, copying data from host->h_addr and host->h_name based on the source length rather than the destination buffer size [1]. This allows a malicious DNS server to supply a response that overflows static buffers in the .bss section [1].

Exploitation

An attacker can exploit this vulnerability by operating a malicious DNS server that returns an oversized response when the TFTP client performs a name resolution. The client does not require any special privileges or authentication to be vulnerable; any user invoking the TFTP client with a hostname that triggers a DNS query is affected [1]. Additionally, a local attacker on a LAN could spoof DNS replies to neighboring systems [1]. The attacker does not need direct network access to the TFTP client target machine beyond providing a crafted DNS reply.

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the TFTP client process. The overflow corrupts static buffers and can overwrite function pointers located in the .bss section, leading to code execution [1]. This could result in full compromise of the affected system, including arbitrary command execution and potential privilege escalation depending on the user running the TFTP client.

Mitigation

The vendor was notified and corrected the problem in a newer version of inetutils [1]. Users should upgrade to a version beyond 1.4.2 that contains the fix. No workarounds are mentioned in the reference. As of the publication date, no known mitigation exists for unpatched versions; disabling the TFTP client or restricting outbound DNS queries may reduce risk but is not a complete solution.