[NT] Directory Traversal in SolarWinds TFTP Server

From: support@securiteam.com
Date: 10/25/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 25 Oct 2002 00:51:20 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Directory Traversal in SolarWinds TFTP Server
------------------------------------------------------------------------

SUMMARY

The SolarWinds TFTP Server has the ability to send and receive multiple
files concurrently. This TFTP Server is commonly used to upload/download
executable images and configurations to routers, switches, hubs,
XTerminals, etc. The software is freely available from
<http://support.solarwinds.net/updates/New-customerFree.cfm>
http://support.solarwinds.net/updates/New-customerFree.cfm and also
included in the Standard, Professional, and Professional Plus Editions of
SolarWinds Network Management Tools. A vulnerability in the product allows
remote attacker to download files off the TFTP Server by using directory
traversal techniques.

DETAILS

Vulnerable systems:
 * SolarWinds TFTP Server version 5.0.55 and prior

Immune systems:
 * SolarWinds TFTP Server version 5.0.60

SolarWinds.net's TFTP Server is susceptible to a folder traversal attack
allowing attackers to retrieve any file from the application. This
vulnerability is often found due to a common programming error in the
handling of file paths. The process is best explained with an example:

tftp target.server GET a\..\..\winnt\repair\sam

The above example will retrieve the Windows NT SAM file from the target
server as the file request is translated to:

C:\TFTP-ROOT\a\..\..\winnt\repair\sam

Where TFTP-ROOT is the default installed root directory.

Analysis:
Successful exploitation of this vulnerability provides attackers with
access to any file on the target system. It is possible for this attack to
lead to further compromise if for example the Windows NT SAM file was
retrieved.

Workaround:
It is suggested that file transmittals be disabled if they are not
required. This can be accomplished by selecting the "Receive only" radio
button under the "File\Configure\Security" tab of the application. A
firewall that restricts access to the application to only trusted sources
could also help mitigate the attack.

Additionally, version 5.0.60 or later of the SolarWinds TFTP Server does
not have this vulnerability.

Vendor response and fix:
This problem has been resolved in all versions of the SolarWinds TFTP
Server that are version 5.0.60 or later. Updated versions of all
SolarWinds Tools are now available from <http://www.solarwinds.net>
http://www.solarwinds.net.

Disclosure Timeline:
09/22/2002 Issue disclosed to iDEFENSE
10/14/2002 Solarwinds.net notified
10/14/2002 iDEFENSE clients notified
10/14/2002 Response received from Josh Stevens (josh@solarwinds.net)
10/14/2002 Vendor fix made available
10/24/2002 Coordinated public disclosure

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 <http://www.idefense.com/advisory/10.24.02.txt>
http://www.idefense.com/advisory/10.24.02.txt

The information has been provided by <mailto:dendler@idefense.com> David
Endler of iDEFENSE and <mailto:mattmurphy@kc.rr.com> Matthew Murphy for
finding the vulnerability.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages