TFTPUtil GUI TFTP Directory Traversal

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: TFTPUtil GUI TFTP Directory Traversal
From: vuln_research@xxxxxxxxxxxxxxxxxxx
Date: Wed, 14 Jan 2009 17:04:35 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Title: TFTPUtil GUI TFTP Directory Traversal
Product: TFTPUtil GUI

Discovered: November 26, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: k23productions
Vendor URL: http://sourceforge.net/projects/tftputil
Vendor notification date: December 1, 2008
Vendor response date: December 8, 2008
Vendor acknowledgement: December 8, 2008
Vendor provided fix: December 8, 2008
Release coordinated with the vendor: --
Public disclosure date: January 14, 2009

Affects: TFTPUtil GUI versions 1.2.0 and 1.3.0
Fixed in: 1.4.0
Risk: Medium

Vulnerability Description: TFTPUtil GUI versions 1.2.0 and 1.3.0 are prone to a 
directory-traversal vulnerability because it fails to sanitize TFTP GET 
requests. By using a specially crafted TFTP GET request an attacker is capable 
of retrieving files outside of the TFTP root directory.

Impact: The ability to obtain files outside of the TFTP root directory may 
allow an attacker to obtain more information about the underlying operating 
system and applications running on the host.

Keywords: security, vulnerability, tftp, directory traversal, princeofnigeria, 
gui, windows, server

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local and remote users

TFTPUtil GUI is an application that provides services for transferring 
configuration files, firmware files and other types of data using the TFTP 
protocol. The application should restrict GET requests to the contents of the 
TFTP root directory to prevent obtaining data from other parts of the host 
operating system.

Vulnerability Scope: The default installation of TFTPUtil 1.20. or 1.3.0 will 
allow exploitation of this vulnerability.

[--More Details--]

Exploitation of this flaw is trivial and can be executed using any RFC 1350 
compliant TFTP client software. No exploit code is required.

[--Fix or Workaround Information--]

Patch availability: 1.4.0
Vendor provided fix: 1.4.0
Workarounds: Update to 1.4.0

[--Disclosure Policy--]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[--Disclosure History--]

Public disclosure date: January 14, 2009

[--References--]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[--Author--]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

Prev by Date: [ GLSA 200901-11 ] Avahi: Denial of Service
Next by Date: TFTPUtil GUI TFTP Server Denial of Service Vulnerability
Previous by thread: [ GLSA 200901-11 ] Avahi: Denial of Service
Next by thread: TFTPUtil GUI TFTP Server Denial of Service Vulnerability
Index(es):
- Date
- Thread