Walusoft TFTPServer2000 Version 3.6.1 Directory Traversal

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Walusoft TFTPServer2000 Version 3.6.1 Directory Traversal
From: vuln_research@xxxxxxxxxxxxxxxxxxx
Date: Mon, 5 Jan 2009 10:22:08 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

[--Vulnerability Summary--]

Title: Walusoft TFTPServer2000 Version 3.6.1 Directory Traversal

Product: Walusoft TFTPServer2000 Version 3.6.1

Discovered: November 9, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: Walusoft
Vendor URL: No longer exists (no contact information available)
Public disclosure date: January 5, 2009

Affects: Walusoft TFTPServer2000 Version 3.6.1
Fixed in: No fix currently available.
Risk: Medium

Vulnerability Description: Walusoft TFTPServer2000 Version 3.6.1 are prone to a 
directory-traversal vulnerability because it fails to sanitize TFTP GET 
requests. By using a specially crafted TFTP GET request an attacker is capable 
of retrieving files outside of the TFTP root directory.

Impact: The ability to obtain files outside of the TFTP root directory may 
allow an attacker to obtain more information about the underlying operating 
system and applications running on the host.

Keywords: security, vulnerability, tftp, directory traversal, princeofnigeria, 
gui, windows, server

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local and remote users

Walusoft TFTPServer2000 Version 3.6.1 is an application that provides services 
for transferring configuration files, firmware files and other types of data 
using the TFTP protocol. The application should restrict GET requests to the 
contents of the TFTP root directory to prevent obtaining data from other parts 
of the host operating system.

Vulnerability Scope: The default installation of Walusoft TFTPServer2000 
Version 3.6.1 will allow exploitation of this vulnerability. This software is 
licensed to and re-branded by many VoIP phone systems manufacturers. 
Verification of the product origin can be obtained by reading the about page.

[--More Details--]

Exploitation of this flaw is trivial and can be executed using any RFC 1350 
compliant TFTP client software. No exploit code is required.

[--Fix or Workaround Information--]

Patch availability: None
Vendor provided fix: None
Workarounds: No patch is available at this time. The analyst recommended work 
around is described as follows:

?Upon initial installation, the software fails to define or restrict the TFTP 
root directory to a specific directory and an attacker is able to gain access 
to operating system files. To fix this issue the TFTP server administrator show 
explicitly define the TFTP root directory on the System >> Setup menu, Server 
Options ?Outbound? tab.?

[--Disclosure Policy--]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[--Disclosure History--]

Public disclosure date: January 5, 2009

[--References--]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[--Author--]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

Prev by Date: Re: php 4.x php5.2.x all "show_source()" ,"highlight_file()" bypass‏
Next by Date: Re: php 4.x php5.2.x all "show_source()" ,"highlight_file()" bypass‏
Previous by thread: MSFXDC Metasploit eXploits Development Contest
Next by thread: [USN-702-1] Samba vulnerability
Index(es):
- Date
- Thread