NetDecision TFTP Server 4.2 TFTP Directory Traversal

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: NetDecision TFTP Server 4.2 TFTP Directory Traversal
From: vuln_research@xxxxxxxxxxxxxxxxxxx
Date: Sun, 17 May 2009 10:45:35 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

[--Vulnerability Summary--]

Title: NetDecision TFTP Server 4.2 TFTP Directory Traversal
Product: NetDecision TFTP Server 4.2

Discovered: April 1, 2009
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: NetMechanica
Vendor URL: http://www.netmechanica.com/downloads/
Vendor notification date: April 2, 2009 and May 12, 2009
Vendor response date: None
Vendor acknowledgement: No
Vendor provided fix: No
Release coordinated with the vendor: No response from vendor
Public disclosure date: May 16, 2009

Affects: NetDecision TFTP Server 4.2
Fixed in: N/A
Risk: MEDIUM

Vulnerability Description: NetDecision TFTP Server 4.2 is prone to a 
directory-traversal vulnerability because it fails to sanitize TFTP GET and PUT 
requests. By using a specially crafted TFTP request an attacker is capable of 
putting (PUT) and retrieving (GET) files outside of the TFTP root directory.

Impact: The ability to PUT and GET files outside of the TFTP root directory may 
allow an attacker to obtain more information about the underlying operating 
system and applications running on the host. Additionally, malicious code can 
be uploaded to the host operating system.

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local and remote users

Vulnerability Scope: The default installation of NetDecision TFTP Server 4.2 
will allow exploitation of this vulnerability.

Keywords: security, vulnerability, tftp, directory traversal, princeofnigeria, 
gui, windows, server

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local and remote users

NetDecision TFTP Server 4.2 is an application that provides services for 
transferring configuration files, firmware files and other types of data using 
the TFTP protocol. The application should restrict PUT and GET requests to the 
contents of the TFTP root directory to prevent obtaining data from other parts 
of the host operating system or uploading malicious code.

Vulnerability Scope: The default installation of NetDecision TFTP Server 4.2 
will allow exploitation of this vulnerability.

[--More Details--]

Exploitation of this flaw is trivial and can be executed using any RFC 1350 
compliant TFTP client software. No exploit code is required.

[--Fix or Workaround Information--]

Patch availability: None
Vendor provided fix: None
Workarounds: None available at this time, design flaw. Discontinue use of this 
product until a stable patch is released.

[--Disclosure Policy--]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[--Disclosure History--]
Public disclosure date: May 16, 2009

[--References--]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[--Author--]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

Prev by Date: BugCON '09 has swine influenza!!
Next by Date: [TKADV2009-006] libsndfile/Winamp VOC Processing Heap Buffer Overflow
Previous by thread: BugCON '09 has swine influenza!!
Next by thread: [TKADV2009-006] libsndfile/Winamp VOC Processing Heap Buffer Overflow
Index(es):
- Date
- Thread