Ipswitch TFTP Server Directory Traversal

2011-02-16T00:00:00
ID SAINT:3CA353D13D25CFDBBA8FD252197C6738
Type saint
Reporter SAINT Corporation
Modified 2011-02-16T00:00:00

Description

Added: 02/16/2011
BID: 50890
OSVDB: 77455

Background

Ipswitch makes software for businesses to manage networks, securely transfer files, and communicate via e-mail. They also provide some free network tools, including a TFTP server.

Problem

The Ipswitch TFTP Server version 1.0.0.24 has a directory traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Successful exploit of this vulnerability could allow an attacker to download or upload arbitrary files. Other versions may also be affected.

Resolution

Restrict TFTP access to only a limited subtree of the file system. Consult your tftpd manual pages for details. Also, when no access restriction is possible, restrict TFTP access by using a TCP wrapper.

Upgrade or apply a patch if either a new release or patch becomes available.

References

<http://secunia.com/advisories/47025/>
<http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt>

Limitations

This exploit has been tested on Ipswitch TFTP Server 1.0.0.24 on Microsoft Windows Server 2003 SP2 English (DEP OptOut).

The "Allow downloads and uploads" option on the Ipswitch TFTP server must be enabled for the exploit to work properly.

The exploit drops an executable file in the Startup folder on the target system. The target system system needs to be restarted to run the shell code.

Platforms

Windows