Access violation error

[antares]

Standard TFTP client, command-line interface, when I tried to download file
from server, got Access violation error:


C:\>tftp.exe -i xxx.xxx.xxx.xx GET abcc.bin

Transfering file abcc.bin from server in octet mode...
Error occurred during the file transfer (Error code = 2):
Access violation

 

[Paul]

Standard TFTP client, command-line interface, when I tried to download
file from server, got Access violation error:


C:\>tftp.exe -i xxx.xxx.xxx.xx GET abcc.bin

Transfering file abcc.bin from server in octet mode...
Error occurred during the file transfer (Error code = 2):
Access violation

First, study the protocol, and understand how it can fail.
For the protocol to work over the Internet, you'd have to
look at any NAT translation issues. The server side might
need port forwarding to port 69.

http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol

A copy of Wireshark can be used to "watch" the transfer, see
if the protocol is working as you expect or not. The timing
of when packets are sent (i.e. seeing a timeout interval
between attempts), can also help provide you with evidence
of where a failure might be.

http://en.wikipedia.org/wiki/Wireshark

Looking at the Wikipedia article, the TFTP program is
too simple minded to be used to debug where the problem
may be.

http://www.tftp-server.com/tftp_server_configuration.html

"It makes hard to specify firewall rules permitting
traffic to TFTP Server."

http://tools.ietf.org/html/rfc1350

"Most errors cause termination of the connection. An error is
signalled by sending an error packet. This packet is not
acknowledged, and not retransmitted (i.e., a TFTP server or user may
terminate after sending an error message), so the other end of the
connection may not get it. Therefore timeouts are used to detect
such a termination when the error packet has been lost.

Errors are caused by three types of events: not being able to
satisfy the request (e.g., file not found, access violation, or no such user),
receiving a packet which cannot be explained by a delay or
duplication in the network (e.g., an incorrectly formed packet), and
losing access to a necessary resource (e.g., disk full or access
denied during a transfer).

TFTP recognizes only one error condition that does not cause
termination, the source port of a received packet being incorrect.
In this case, an error packet is sent to the originating host.

This protocol is very restrictive, in order to simplify
implementation. For example, the fixed length blocks make allocation
straight forward, and the lock step acknowledgement provides flow
control and eliminates the need to reorder incoming data packets."

And the information here, makes it look like you may be receiving
an explicit error packet from the server. You can look at that
packet with Wireshark.

http://www.networksorcery.com/enp/protocol/tftp.htm

"Error codes:
...

2 Access violation"

HTH,
Paul

 

[antares]

First, study the protocol, and understand how it can fail.
For the protocol to work over the Internet, you'd have to
look at any NAT translation issues. The server side might
need port forwarding to port 69.

http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol

A copy of Wireshark can be used to "watch" the transfer, see
if the protocol is working as you expect or not. The timing
of when packets are sent (i.e. seeing a timeout interval
between attempts), can also help provide you with evidence
of where a failure might be.

http://en.wikipedia.org/wiki/Wireshark

Looking at the Wikipedia article, the TFTP program is
too simple minded to be used to debug where the problem
may be.

http://www.tftp-server.com/tftp_server_configuration.html

"It makes hard to specify firewall rules permitting
traffic to TFTP Server."

http://tools.ietf.org/html/rfc1350

"Most errors cause termination of the connection. An error is
signalled by sending an error packet. This packet is not
acknowledged, and not retransmitted (i.e., a TFTP server or user may
terminate after sending an error message), so the other end of the
connection may not get it. Therefore timeouts are used to detect
such a termination when the error packet has been lost.

Errors are caused by three types of events: not being able to
satisfy the request (e.g., file not found, access violation, or no such user),
receiving a packet which cannot be explained by a delay or
duplication in the network (e.g., an incorrectly formed packet), and
losing access to a necessary resource (e.g., disk full or access
denied during a transfer).

TFTP recognizes only one error condition that does not cause
termination, the source port of a received packet being incorrect.
In this case, an error packet is sent to the originating host.

This protocol is very restrictive, in order to simplify
implementation. For example, the fixed length blocks make allocation
straight forward, and the lock step acknowledgement provides flow
control and eliminates the need to reorder incoming data packets."

And the information here, makes it look like you may be receiving
an explicit error packet from the server. You can look at that
packet with Wireshark.

http://www.networksorcery.com/enp/protocol/tftp.htm

"Error codes:
...

2 Access violation"

HTH,
Paul

----------------

when I attempted to download config via TFTP, I tried sniff traffic with
Network protocol analyzer, but this doesn't help too much.

protocol IP source IP Destination
Port source Port destination Size
UDP -> TFTP xx.xxx.xx.89 xxx.xxx.xxx.68 1053
69 91
UDP xxx.xxx.xxx.68 xx.xxx.xx.89
4626 1053 63

Can I get this Error code 2 "Access violation" in one of the following
cases: a) wrong TFTP server, i.e. this is not TFTP server; b) full path to
file required, not just file name, c) no permission to download config file.
Or in this cases, another error code will be shown?

Thanks.

 

[antares]

----------------

when I attempted to download config via TFTP, I tried sniff traffic with
Network protocol analyzer, but this doesn't help too much.

protocol IP source IP Destination
Port source Port destination Size
UDP -> TFTP xx.xxx.xx.89 xxx.xxx.xxx.68 1053
69 91
UDP xxx.xxx.xxx.68 xx.xxx.xx.89
4626 1053 63

Can I get this Error code 2 "Access violation" in one of the following
cases: a) wrong TFTP server, i.e. this is not TFTP server; b) full path to
file required, not just file name, c) no permission to download config file.
Or in this cases, another error code will be shown?

Thanks.

-----------------

I tried to download and sniff more times, and find that on each attempt
sniffer return different Port Source and Port Destination:

UDP -> TFTP Port Source: 1113 Port Destination: 69
UDP Port Source: 2826 Port Destination: 1113

UDP -> TFTP Port Source: 1114 Port Destination: 69
UDP Port Source: 2833 Port Destination: 1114

UDP -> TFTP Port Source: 1115 Port Destination: 69
UDP Port Source: 2839 Port Destination: 1115

 

[Paul]

when I attempted to download config via TFTP, I tried sniff traffic with
Network protocol analyzer, but this doesn't help too much.

protocol IP source IP Destination
Port source Port destination Size
UDP -> TFTP xx.xxx.xx.89 xxx.xxx.xxx.68 1053
69 91
UDP xxx.xxx.xxx.68 xx.xxx.xx.89
4626 1053 63

Can I get this Error code 2 "Access violation" in one of the following
cases: a) wrong TFTP server, i.e. this is not TFTP server; b) full path to
file required, not just file name, c) no permission to download config file.
Or in this cases, another error code will be shown?

Thanks.

If you look at the actual packet coming back from the server, does
it show error 2 ? The packet format is defined here.

http://www.networksorcery.com/enp/protocol/tftp.htm

The Opcode value would be 0x05 (Error message).

The data would be 0x02 (Access violation), if the server
is returning an access violation error.

The problem could also be locally, when the tftp program is
run from the command prompt, and you don't have permission to
write in that directory, but somehow I doubt that is the problem.
And the error message in that case, might be reported in a
different way.

Paul

 

[antares]

If you look at the actual packet coming back from the server, does
it show error 2 ? The packet format is defined here.

http://www.networksorcery.com/enp/protocol/tftp.htm

The Opcode value would be 0x05 (Error message).

The data would be 0x02 (Access violation), if the server
is returning an access violation error.

The problem could also be locally, when the tftp program is
run from the command prompt, and you don't have permission to
write in that directory, but somehow I doubt that is the problem.
And the error message in that case, might be reported in a
different way.

Paul

-------

here is how it look, I used PumpKIN Tftp:

http://img214.imageshack.us/img214/525/pic1ia.jpg
http://img521.imageshack.us/img521/183/pic2p.jpg

 

[Paul]

-------

here is how it look, I used PumpKIN Tftp:

http://img214.imageshack.us/img214/525/pic1ia.jpg
http://img521.imageshack.us/img521/183/pic2p.jpg

In your pic2p.jpg , I can see "0005 0002" near the end of the
second line, and the descriptive text "Access Violation" is attached
on the end of the package for good measure. The server is denying
access to the file. Since the server can deny access
based on IP address filtering, perhaps the access control
on the server hasn't been set up correctly for what
you're trying to do.

Paul

 

[antares]

In your pic2p.jpg , I can see "0005 0002" near the end of the
second line, and the descriptive text "Access Violation" is attached
on the end of the package for good measure. The server is denying
access to the file. Since the server can deny access
based on IP address filtering, perhaps the access control
on the server hasn't been set up correctly for what
you're trying to do.

Paul

 

[Paul]

------------

in that case, how cable modem get config file every time it boots?

thanks.

Would the packet header be the same, if the cable modem downloads
the configuration file, versus you attempting to download that
file from the LAN side of the modem ? Perhaps the MAC address
is being used for filtration ?

TFTP has no authentication as such, but a server could look
at the packet headers, to determine whether the device is
authorized.

Paul

 

[antares]

Would the packet header be the same, if the cable modem downloads
the configuration file, versus you attempting to download that
file from the LAN side of the modem ? Perhaps the MAC address
is being used for filtration ?

TFTP has no authentication as such, but a server could look
at the packet headers, to determine whether the device is
authorized.

Paul

-----------------------------------


Can the TFTP server (run on Linux server) filter IP addresses? When I do
request with DHCP query tool, the Server response show, that IP address of
cable modem (PKT:YIAddr) is different from my IP address which shown in
computer's TCP/IP settings (and when check on web). The same for Gateway and
Subnet mask.

Would the packet header be the same, if the cable modem downloads
the configuration file, versus you attempting to download that
file from the LAN side of the modem ?

How to determine this? Specifically, how to check the packet header when
cable modem downloads the config. file? I tried power off modem, wait, then
power on, but Network protocol analyzer didn't show traffic.

 

[Paul]

antares wrote:

Can the TFTP server (run on Linux server) filter IP addresses? When I do
request with DHCP query tool, the Server response show, that IP address
of cable modem (PKT:YIAddr) is different from my IP address which shown
in computer's TCP/IP settings (and when check on web). The same for
Gateway and Subnet mask.

This server shows some filtering capability, to control what clients
have access. You can see an example of the configuration window for
the TFTP server in this picture. At the very least, this window shows
TCP/IP addresses.

http://www.tftp-server.com/images/srvconf_2.gif

How to determine this? Specifically, how to check the packet header
when cable modem downloads the config. file? I tried power off modem,
wait, then power on, but Network protocol analyzer didn't show traffic.

It would be pretty difficult, because the packet from the cable modem,
would be converted to DOCSIS and immediately go over the cable TV wire
as an RF signal. Pretty hard to fit a packet sniffer there, unless you
have a way to eavesdrop on the cable signal. Most of the cable modem
conversation is encrypted, but at the point the configuration file
is being fetched, there is a good chance that is all in plaintext,
as the encryption would be set up at registration time. (The modem
downloads the config file, and registration is the next step in the
reverse direction. See some online CISCO documentation for example
details.)

Paul

 

[antares]

antares wrote:



This server shows some filtering capability, to control what clients
have access. You can see an example of the configuration window for
the TFTP server in this picture. At the very least, this window shows
TCP/IP addresses.

http://www.tftp-server.com/images/srvconf_2.gif


It would be pretty difficult, because the packet from the cable modem,
would be converted to DOCSIS and immediately go over the cable TV wire
as an RF signal. Pretty hard to fit a packet sniffer there, unless you
have a way to eavesdrop on the cable signal. Most of the cable modem
conversation is encrypted, but at the point the configuration file
is being fetched, there is a good chance that is all in plaintext,
as the encryption would be set up at registration time. (The modem
downloads the config file, and registration is the next step in the
reverse direction. See some online CISCO documentation for example
details.)

Paul

---------

some details not fully clear: so, based on query response, cable modem have
own IP address, own gateway and subnet mask, which have no any relationship
with network adapter's TCP/IP addressing? So theoretically, assume if we set
for PC network card static IP address which is in the same subnet with cable
modem, same gateway and mask, we can access server? We can't connect to the
Internet in this case though.

 

[Paul]

some details not fully clear: so, based on query response, cable modem have
own IP address, own gateway and subnet mask, which have no any relationship
with network adapter's TCP/IP addressing? So theoretically, assume if we set
for PC network card static IP address which is in the same subnet with cable
modem, same gateway and mask, we can access server? We can't connect to the
Internet in this case though.

Sounds good in theory.

You should check into the history of this stuff. For example, this hack
from 2002.

http://web.archive.org/web/20020601130059/online.securityfocus.com/archive/82/261454

( http://www.securityfocus.com/news/353 )

There are even people doing firmware changes, to make a modem easier to hack.

http://www.roadrunnerguide.com/files/SIGMA-X2_128. Manual.pdf

It's all very amusing. But some time has passed, so it isn't likely
that the same techniques will still work now. How long could a cable
company stay in the Internet business, if every teenager has uncapped
the modem, leaving the less technically savvy running at 75 kbit/sec ?
I think someone would notice the imbalance. The head end equipment
can probably count bytes/sec and can tell the modem is not operating
within its profile.

Paul