Vulnerabilities in Timbuktu Pro 8.6.5

2008-03-13T00:00:00

Description

####################################################################### Luigi Auriemma Application: Timbuktu Pro Remote Control Software http://www.netopia.com/software/products/tb2/ Versions: <= 8.6.5 [RC 229] Platforms: Windows Mac OS X has not been tested Bugs: A] Denial of Service B] limited upload directory traversal Exploitation: remote Date: 10 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Timbuktu is a software for controlling the computer remotely. ####################################################################### ======= 2) Bugs ======= -------------------- A] Denial of Service -------------------- The instructions which handle the incoming instant messages are vulnerable to a couple of Denial of Service attacks. The first one consists in the possibility of crashing the program through an invalid Version field while the other type of bug is the freezing and the subsequent termination of Timbuktu using an invalid or incomplete message. ------------------------------------- B] limited upload directory traversal ------------------------------------- Each message or attachment is considered by Timbuktu as a file which is stored in temporary folders in the program's directory. Although the program uses various ways to avoid possible directory traversal attacks is still possible for an attacker to upload files with any filename in any location of the disk on which Timbuktu is running. The only limitation in this vulnerability is that Timbuktu changes the name of the file if one with the same name already exists so for example if we specify notepad.exe but it already exists, the program will create the file notepad2.exe. Currently I have found no ways to bypass this limitation. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/timbuto.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org

{"id": "SECURITYVULNS:DOC:19398", "bulletinFamily": "software", "title": "Vulnerabilities in Timbuktu Pro 8.6.5", "description": "\r\n#######################################################################\r\n\r\n Luigi Auriemma\r\n\r\nApplication: Timbuktu Pro Remote Control Software\r\n http://www.netopia.com/software/products/tb2/\r\nVersions: <= 8.6.5 [RC 229]\r\nPlatforms: Windows\r\n Mac OS X has not been tested\r\nBugs: A] Denial of Service\r\n B] limited upload directory traversal\r\nExploitation: remote\r\nDate: 10 Mar 2008\r\nAuthor: Luigi Auriemma\r\n e-mail: aluigi@autistici.org\r\n web: aluigi.org\r\n\r\n\r\n#######################################################################\r\n\r\n\r\n1) Introduction\r\n2) Bugs\r\n3) The Code\r\n4) Fix\r\n\r\n\r\n#######################################################################\r\n\r\n===============\r\n1) Introduction\r\n===============\r\n\r\n\r\nTimbuktu is a software for controlling the computer remotely.\r\n\r\n\r\n#######################################################################\r\n\r\n=======\r\n2) Bugs\r\n=======\r\n\r\n--------------------\r\nA] Denial of Service\r\n--------------------\r\n\r\nThe instructions which handle the incoming instant messages are\r\nvulnerable to a couple of Denial of Service attacks.\r\nThe first one consists in the possibility of crashing the program\r\nthrough an invalid Version field while the other type of bug is the\r\nfreezing and the subsequent termination of Timbuktu using an invalid or\r\nincomplete message.\r\n\r\n\r\n-------------------------------------\r\nB] limited upload directory traversal\r\n-------------------------------------\r\n\r\nEach message or attachment is considered by Timbuktu as a file which is\r\nstored in temporary folders in the program's directory.\r\nAlthough the program uses various ways to avoid possible directory\r\ntraversal attacks is still possible for an attacker to upload files\r\nwith any filename in any location of the disk on which Timbuktu is\r\nrunning.\r\n\r\nThe only limitation in this vulnerability is that Timbuktu changes the\r\nname of the file if one with the same name already exists so for\r\nexample if we specify notepad.exe but it already exists, the program\r\nwill create the file notepad2.exe.\r\nCurrently I have found no ways to bypass this limitation.\r\n\r\n\r\n#######################################################################\r\n\r\n===========\r\n3) The Code\r\n===========\r\n\r\n\r\nhttp://aluigi.org/poc/timbuto.zip\r\n\r\n\r\n#######################################################################\r\n\r\n======\r\n4) Fix\r\n======\r\n\r\n\r\nNo fix\r\n\r\n\r\n#######################################################################\r\n\r\n\r\n--- \r\nLuigi Auriemma\r\nhttp://aluigi.org", "published": "2008-03-13T00:00:00", "modified": "2008-03-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19398", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:25", "edition": 1, "viewCount": 15, "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8775"]}], "rev": 4}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645587425, "score": 1659803227}, "_internal": {"score_hash": "b5f0b5ada9af2e6657b204d6a4ae5b75"}}