摘要： Fuzzing是一种自动化的漏洞挖掘技术。该文介绍了一种基于Fuzzing的漏洞挖掘思路，并将这一漏洞挖掘思路应用在TFTP协议上。设计并实现了一个针对TFTP服务器的fuzzer工具——tftpServerFuzzer，并对现有的从互联网上搜集到的Windows平台下11种TFTP服务器进行了安全测试，发现了8种TFTP服务器的13个安全漏洞，其中未曾公布过的漏洞有7个。该实践结果表明了tftpServerFuzzer的有效性和先进性。

关键词: 漏洞, 漏洞挖掘, Fuzzing技术, TFTP

Abstract: Fuzzing is an automated vulnerability exploiting technique. This paper propose a vulnerability exploiting approach based on Fuzzing and applies the approach to TFTP protocol. A fuzzer named tftpServerFuzzer is designed and implemented to test TFTP servers. 11 types of TFTP servers based on Windows via Internet are collected. By testing those TFTP servers using tftpServerFuzzer, seven unreleased and six known vulnerabilities are discovered. The result indicates the validity and superiority of the tftpServerFuzzer.

Key words: vulnerability, vulnerability exploiting, Fuzzing, TFTP

中图分类号: 

• TP309