-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
iDEFENSE Security Advisory 10.24.02: http://www.idefense.com/advisory/10.24.02.txt Directory Traversal in SolarWinds TFTP Server October 24, 2002
The SolarWinds TFTP Server has the ability to send and receive multiple files concurrently. This TFTP Server is commonly used to upload/download executable images and configurations to routers, switches, hubs, XTerminals, etc. The software is freely available from http://support.solarwinds.net/updates/New-customerFree.cfm and also included in the Standard, Professional, and Professional PLus Editions of SolarWinds Network Management Tools.
SolarWinds.net's TFTP Server is susceptible to a folder traversal attack allowing attackers to retrieve any file from the application. This vulnerability is often found due to a common programming error in the handling of file paths. The process is best explained with an example:
tftp target.server GET a\..\..\winnt\repair\sam
The above example will retrieve the Windows NT SAM file from the target server as the file request is translated to:
Where TFTP-ROOT is the default installed root directory.
Successful exploitation of this vulnerability provides attackers with access to any file on the target system. It is possible for this attack to lead to further compromise if for example the Windows NT SAM file was retrieved. SolarWinds TFTP Server is a free, multi-threaded TFTP server with security. More information about this application can be found at http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/.
iDEFENSE has verified the existence of this vulnerability in the latest version of SolarWinds TFTP Server (v5.0.55). It is suspected that earlier versions are vulnerable as well. A specific implementation's susceptibility can be determined by experimenting with the above-described specifics.
It is suggested that file transmittals be disabled if they are not required. This can be accomplished by selecting the "Receive only" radio button under the "File\Configure\Security" tab of the application. A firewall that restricts access to the application to only trusted sources could also help mitigate the attack.
Additionally, version 5.0.60 or later of the SolarWinds TFTP Server does not have this vulnerability.
VI. VENDOR FIX/RESPONSE
This problem has been resolved in all versions of the SolarWinds TFTP Server that are version 5.0.60 or later. Updated versions of all SolarWinds Tools are now available from http://www.solarwinds.net
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1209 to this issue.
VIII. DISCLOSURE TIMELINE
09/22/2002 Issue disclosed to iDEFENSE 10/14/2002 Solarwinds.net notified 10/14/2002 iDEFENSE clients notified 10/14/2002 Response received from Josh Stevens (email@example.com) 10/14/2002 Vendor fix made available 10/24/2002 Coordinated public disclosure
Matthew Murphy (firstname.lastname@example.org) is credited with discovering this vulnerability.
Get paid for security research http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories: send email to email@example.com, subject line: "subscribe"
iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com.
David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071
-----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
iQA/AwUBPbhrNkrdNYRLCswqEQK54wCgmZZmE/hPJgUxvOcFLGOBK8/KESAAn2qe RO3IRm0crjfC2wgHTgJ3390A =u+ON -----END PGP SIGNATURE-----