SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (File Transfer/Sharing)  >   AT-TFTP Server Vendors:   Allied Telesyn International
Allied Telesyn AT-TFTP Server Lets Remote Users Download and Upload Arbitrary Files or Cause the TFTP Service to Crash
SecurityTracker Alert ID:  1012011
SecurityTracker URL:  http://securitytracker.com/id/1012011
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 31 2004
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 1.8 and prior versions
Description:   Luigi Auriemma reported a vulnerability in the Allied Telesyn AT-TFTP Server. A remote user can view or write files on the target system. A remote user can also cause the TFTP service to crash.

It is reported that a remote user can supply a specially crafted filename containing '../' directory traversal characters to view files on or, if 'Read/Write' mode is enabled, upload files to the target system with the privileges of the TFTP service.

Some demonstration exploit examples are provided:

tftpx server ../secret.txt secret.txt
tftpx -u server ../../windows/calc.exe evil.exe

It is also reported that a remote user can send a filename field that is 229 bytes or longer to trigger a buffer overflow and cause the TFTP service to crash. A demonstration exploit is provided:

tftpx -f server 229 none

Some demonstration exploit code is available at:

http://aluigi.altervista.org/testz/tftpx.zip
Impact:   A remote user can read arbitrary files on the target system with the privileges of the TFTP service.

A remote user can upload arbitrary files to the target system with the privileges of the TFTP service.

A remote user cause cause the TFTP service to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.alliedtelesyn.co.nz/support/rapier/download.html (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Sat, 30 Oct 2004 22:15:34 -0400
Subject:  http://aluigi.altervista.org/adv/attftp-adv.txt


#######################################################################

                             Luigi Auriemma

Application:  Allied Telesyn TFTP Daemon
              http://www.alliedtelesyn.com
              http://www.alliedtelesyn.co.nz/support/rapier/download.html
Versions:     <= 1.8
Platforms:    Windows
Bugs:         A] buffer overflow
              B] directory traversal
Exploitation: remote
Date:         30 October 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Allied Telesyn TFTP Daemon (AT-TFTP) is a TFTP server with the primary
function to transfer files between PC and the network products of the
vendor, but naturally it can be used also as a normal TFTP server.


#######################################################################

=======
2) Bugs
=======

------------------
A] buffer overflow
------------------

A buffer overflow exists in the remote filename field if it is longer
229 bytes or more.


----------------------
B] directory traversal
----------------------

An attacker is able to download and upload (upload only if the
Read/Write mode is selected) files everywhere in the disk on which is
set the default transfer directory of the server using the classical
dot-dot-slash pattern.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/testz/tftpx.zip


A] tftpx -f server 229 none

B] tftpx server ../secret.txt secret.txt
   tftpx -u server ../../windows/calc.exe evil.exe


#######################################################################

======
4) Fix
======


No fix.
I have not been able to contact the developers because there are no
mail addresses on the website and those available in the readme file
are unavailable.


#######################################################################


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC