[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3DB834BA.31729.11A6962D@localhost>
From: dendler at idefense.com (David Endler)
Subject: iDEFENSE Security Advisory 10.24.02: Directory Traversal in SolarWinds TFTP Server
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 10.24.02:
http://www.idefense.com/advisory/10.24.02.txt
Directory Traversal in SolarWinds TFTP Server
October 24, 2002
I. BACKGROUND
The SolarWinds TFTP Server has the ability to send and receive
multiple files concurrently. This TFTP Server is commonly used to
upload/download executable images and configurations to routers,
switches, hubs, XTerminals, etc. The software is freely available
from http://support.solarwinds.net/updates/New-customerFree.cfm and
also included in the Standard, Professional, and Professional PLus
Editions of SolarWinds Network Management Tools.
II. DESCRIPTION
SolarWinds.net's TFTP Server is susceptible to a folder traversal
attack allowing attackers to retrieve any file from the application.
This vulnerability is often found due to a common programming error
in the handling of file paths. The process is best explained with an
example:
tftp target.server GET a\..\..\winnt\repair\sam
The above example will retrieve the Windows NT SAM file from the
target server as the file request is translated to:
C:\TFTP-ROOT\a\..\..\winnt\repair\sam
Where TFTP-ROOT is the default installed root directory.
III. ANALYSIS
Successful exploitation of this vulnerability provides attackers with
access to any file on the target system. It is possible for this
attack to lead to further compromise if for example the Windows NT
SAM file was retrieved. SolarWinds TFTP Server is a free,
multi-threaded TFTP server with security. More information about this
application can be found at
http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/.
IV. DETECTION
iDEFENSE has verified the existence of this vulnerability in the
latest version of SolarWinds TFTP Server (v5.0.55). It is suspected
that earlier versions are vulnerable as well. A specific
implementation's susceptibility can be determined by experimenting
with the above-described specifics.
V. WORKAROUND
It is suggested that file transmittals be disabled if they are not
required. This can be accomplished by selecting the "Receive only"
radio button under the "File\Configure\Security" tab of the
application. A firewall that restricts access to the application to
only trusted sources could also help mitigate the attack.
Additionally, version 5.0.60 or later of the SolarWinds TFTP Server
does not have this vulnerability.
VI. VENDOR FIX/RESPONSE
This problem has been resolved in all versions of the SolarWinds TFTP
Server that are version 5.0.60 or later. Updated versions of all
SolarWinds Tools are now available from http://www.solarwinds.net
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1209 to
this issue.
VIII. DISCLOSURE TIMELINE
09/22/2002 Issue disclosed to iDEFENSE
10/14/2002 Solarwinds.net notified
10/14/2002 iDEFENSE clients notified
10/14/2002 Response received from Josh Stevens (josh@...arwinds.net)
10/14/2002 Vendor fix made available
10/24/2002 Coordinated public disclosure
IX. CREDIT
Matthew Murphy (mattmurphy@...rr.com) is credited with discovering
this vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.
- -dave
David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071
dendler@...fense.com
www.idefense.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
iQA/AwUBPbhrNkrdNYRLCswqEQK54wCgmZZmE/hPJgUxvOcFLGOBK8/KESAAn2qe
RO3IRm0crjfC2wgHTgJ3390A
=u+ON
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists