OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Thu Oct 24 2002 - 16:58:18 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 10.24.02:
    http://www.idefense.com/advisory/10.24.02.txt
    Directory Traversal in SolarWinds TFTP Server
    October 24, 2002

    I. BACKGROUND

    The SolarWinds TFTP Server has the ability to send and receive
    multiple files concurrently. This TFTP Server is commonly used to
    upload/download executable images and configurations to routers,
    switches, hubs, XTerminals, etc. The software is freely available
    from http://support.solarwinds.net/updates/New-customerFree.cfm and
    also included in the Standard, Professional, and Professional PLus
    Editions of SolarWinds Network Management Tools.

    II. DESCRIPTION

    SolarWinds.net's TFTP Server is susceptible to a folder traversal
    attack allowing attackers to retrieve any file from the application.
    This vulnerability is often found due to a common programming error
    in the handling of file paths. The process is best explained with an
    example:

    tftp target.server GET a\..\..\winnt\repair\sam

    The above example will retrieve the Windows NT SAM file from the
    target server as the file request is translated to:

    C:\TFTP-ROOT\a\..\..\winnt\repair\sam

    Where TFTP-ROOT is the default installed root directory.

    III. ANALYSIS

    Successful exploitation of this vulnerability provides attackers with
    access to any file on the target system. It is possible for this
    attack to lead to further compromise if for example the Windows NT
    SAM file was retrieved. SolarWinds TFTP Server is a free,
    multi-threaded TFTP server with security. More information about this
    application can be found at
    http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/.

    IV. DETECTION

    iDEFENSE has verified the existence of this vulnerability in the
    latest version of SolarWinds TFTP Server (v5.0.55). It is suspected
    that earlier versions are vulnerable as well. A specific
    implementation's susceptibility can be determined by experimenting
    with the above-described specifics.

    V. WORKAROUND

    It is suggested that file transmittals be disabled if they are not
    required. This can be accomplished by selecting the "Receive only"
    radio button under the "File\Configure\Security" tab of the
    application. A firewall that restricts access to the application to
    only trusted sources could also help mitigate the attack.

    Additionally, version 5.0.60 or later of the SolarWinds TFTP Server
    does not have this vulnerability.

    VI. VENDOR FIX/RESPONSE

    This problem has been resolved in all versions of the SolarWinds TFTP
    Server that are version 5.0.60 or later. Updated versions of all
    SolarWinds Tools are now available from http://www.solarwinds.net

    VII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2002-1209 to
    this issue.

    VIII. DISCLOSURE TIMELINE

    09/22/2002 Issue disclosed to iDEFENSE
    10/14/2002 Solarwinds.net notified
    10/14/2002 iDEFENSE clients notified
    10/14/2002 Response received from Josh Stevens (joshsolarwinds.net)
    10/14/2002 Vendor fix made available
    10/24/2002 Coordinated public disclosure

    IX. CREDIT

    Matthew Murphy (mattmurphykc.rr.com) is credited with discovering
    this vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listservidefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPbhrNkrdNYRLCswqEQK54wCgmZZmE/hPJgUxvOcFLGOBK8/KESAAn2qe
    RO3IRm0crjfC2wgHTgJ3390A
    =u+ON
    -----END PGP SIGNATURE-----