Ipswitch TFTP Server Directory Traversal
Added: 02/16/2011BID: 50890
OSVDB: 77455
Background
Ipswitch makes software for businesses to manage networks, securely transfer files, and communicate via e-mail. They also provide some free network tools, including a TFTP server.Problem
The Ipswitch TFTP Server version 1.0.0.24 has a directory traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Successful exploit of this vulnerability could allow an attacker to download or upload arbitrary files. Other versions may also be affected.Resolution
Restrict TFTP access to only a limited subtree of the file system. Consult your tftpd manual pages for details. Also, when no access restriction is possible, restrict TFTP access by using a TCP wrapper.Upgrade or apply a patch if either a new release or patch becomes available.
References
http://secunia.com/advisories/47025/http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
Limitations
This exploit has been tested on Ipswitch TFTP Server 1.0.0.24 on Microsoft Windows Server 2003 SP2 English (DEP OptOut).The "Allow downloads and uploads" option on the Ipswitch TFTP server must be enabled for the exploit to work properly.
The exploit drops an executable file in the Startup folder on the target system. The target system system needs to be restarted to run the shell code.
Platforms
WindowsBack to exploit index