[Full-disclosure] Vulnerabilities in Timbuktu Pro 8.6.5

---

• From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
• Date: Mon, 10 Mar 2008 22:45:50 +0100

---

#######################################################################

Luigi Auriemma

Application: Timbuktu Pro Remote Control Software
http://www.netopia.com/software/products/tb2/
Versions: <= 8.6.5 [RC 229]
Platforms: Windows
Mac OS X has not been tested
Bugs: A] Denial of Service
B] limited upload directory traversal
Exploitation: remote
Date: 10 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Timbuktu is a software for controlling the computer remotely.


#######################################################################

=======
2) Bugs
=======

--------------------
A] Denial of Service
--------------------

The instructions which handle the incoming instant messages are
vulnerable to a couple of Denial of Service attacks.
The first one consists in the possibility of crashing the program
through an invalid Version field while the other type of bug is the
freezing and the subsequent termination of Timbuktu using an invalid or
incomplete message.


-------------------------------------
B] limited upload directory traversal
-------------------------------------

Each message or attachment is considered by Timbuktu as a file which is
stored in temporary folders in the program's directory.
Although the program uses various ways to avoid possible directory
traversal attacks is still possible for an attacker to upload files
with any filename in any location of the disk on which Timbuktu is
running.

The only limitation in this vulnerability is that Timbuktu changes the
name of the file if one with the same name already exists so for
example if we specify notepad.exe but it already exists, the program
will create the file notepad2.exe.
Currently I have found no ways to bypass this limitation.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/timbuto.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


---
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Prev by Date: [Full-disclosure] NULL pointer in Remotely Anywhere 8.0.668
• Next by Date: Re: [Full-disclosure] Invalid memory access in Acronis True Image Group Server 1.5.19.191
• Previous by thread: [Full-disclosure] NULL pointer in Remotely Anywhere 8.0.668
• Next by thread: Re: [Full-disclosure] Vulnerabilities in Timbuktu Pro 8.6.5
• Index(es):
  • Date
  • Thread

---

Relevant Pages Vulnerabilities in Timbuktu Pro 8.6.5 ... Timbuktu Pro Remote Control Software ... B] limited upload directory traversal ... Timbuktu is a software for controlling the computer remotely. ... (Bugtraq) Remote RDC Hung Up, any way to Restart Remotely? ... machines both running XP Pro and Timbuktu Pro, ... Suddenly the remote PC won't let me log in using either RDC ... (microsoft.public.windowsxp.work_remotely) Re: Remote Desktop ... > What can I use to remote from a PC into a MAC? ... Timbuktu ... Prev by Date: ... (microsoft.public.macintosh.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)