header-logo
Suggest Exploit
vendor:
Snap Deploy Server
by:
Luigi Auriemma
7.5
CVSS
HIGH
Directory Traversal and NULL Pointer
22 (Path Traversal) and 476 (NULL Pointer Dereference)
CWE
Product Name: Snap Deploy Server
Affected Version From: 2.0.0.1076
Affected Version To: 2.0.0.1076
Patch Exists: NO
Related CWE: N/A
CPE: a:acronis:snap_deploy_server
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2008

Acronis PXE Server Directory Traversal and NULL Pointer Vulnerabilities

The Acronis PXE Server is vulnerable to a classical directory traversal and an arbitrary path attacks which allow an attacker to download any file from the local disks or the network shares. An incomplete TFTP request (anything which goes from the simple absence of the option field to the usage of only the 2 bytes for the opcode) causes the crashing of the PXE Server due to a NULL pointer access.

Mitigation:

No fix.
Source

Exploit-DB raw data:

#######################################################################

                             Luigi Auriemma

Application:  Acronis PXE Server
              http://www.acronis.com/enterprise/products/snapdeploy/
Versions:     <= 2.0.0.1076
Platforms:    Windows
Bugs:         A] directory traversal
              B] NULL pointer
Exploitation: remote
Date:         08 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Acronis PXE Server is an essential component of Acronis Snap Deploy
Server, a deployment solution for automatically configuring all the
clients of the local network.


#######################################################################

=======
2) Bugs
=======

----------------------
A] directory traversal
----------------------

The PXE Server (pxesrv.exe) implements a TFTP server for allowing the
downloading of the bootstrap files (uploading is not allowed).
This service is vulnerable to a classical directory traversal and an
arbitrary path attacks which allow an attacker to download any file
from the local disks or the network shares.


---------------
B] NULL pointer
---------------

An incomplete TFTP request (anything which goes from the simple absence
of the option field to the usage of only the 2 bytes for the opcode)
causes the crashing of the PXE Server due to a NULL pointer access.


#######################################################################

===========
3) The Code
===========


A]
http://aluigi.org/testz/tftpx.zip

  tftpx SERVER ..\../..\../boot.ini none
  tftpx SERVER c:\boot.ini none
  tftpx SERVER \\internal_host\documents\file.txt none

B]
send the bytes 00 01 to UDP port 69 of the server:

  echo -n -e \x00\x01|nc SERVER 69 -v -v -u



#######################################################################

======
4) Fix
======


No fix


#######################################################################

# milw0rm.com [2008-03-10]