-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 10.24.02: http://www.idefense.com/advisory/10.24.02.txt Directory Traversal in SolarWinds TFTP Server October 24, 2002 I. BACKGROUND The SolarWinds TFTP Server has the ability to send and receive multiple files concurrently. This TFTP Server is commonly used to upload/download executable images and configurations to routers, switches, hubs, XTerminals, etc. The software is freely available from http://support.solarwinds.net/updates/New-customerFree.cfm and also included in the Standard, Professional, and Professional PLus Editions of SolarWinds Network Management Tools. II. DESCRIPTION SolarWinds.net's TFTP Server is susceptible to a folder traversal attack allowing attackers to retrieve any file from the application. This vulnerability is often found due to a common programming error in the handling of file paths. The process is best explained with an example: tftp target.server GET a\..\..\winnt\repair\sam The above example will retrieve the Windows NT SAM file from the target server as the file request is translated to: C:\TFTP-ROOT\a\..\..\winnt\repair\sam Where TFTP-ROOT is the default installed root directory. III. ANALYSIS Successful exploitation of this vulnerability provides attackers with access to any file on the target system. It is possible for this attack to lead to further compromise if for example the Windows NT SAM file was retrieved. SolarWinds TFTP Server is a free, multi-threaded TFTP server with security. More information about this application can be found at http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/. IV. DETECTION iDEFENSE has verified the existence of this vulnerability in the latest version of SolarWinds TFTP Server (v5.0.55). It is suspected that earlier versions are vulnerable as well. A specific implementation's susceptibility can be determined by experimenting with the above-described specifics. V. WORKAROUND It is suggested that file transmittals be disabled if they are not required. This can be accomplished by selecting the "Receive only" radio button under the "File\Configure\Security" tab of the application. A firewall that restricts access to the application to only trusted sources could also help mitigate the attack. Additionally, version 5.0.60 or later of the SolarWinds TFTP Server does not have this vulnerability. VI. VENDOR FIX/RESPONSE This problem has been resolved in all versions of the SolarWinds TFTP Server that are version 5.0.60 or later. Updated versions of all SolarWinds Tools are now available from http://www.solarwinds.net VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1209 to this issue. VIII. DISCLOSURE TIMELINE 09/22/2002 Issue disclosed to iDEFENSE 10/14/2002 Solarwinds.net notified 10/14/2002 iDEFENSE clients notified 10/14/2002 Response received from Josh Stevens (josh@solarwinds.net) 10/14/2002 Vendor fix made available 10/24/2002 Coordinated public disclosure IX. CREDIT Matthew Murphy (mattmurphy@kc.rr.com) is credited with discovering this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPbhrNkrdNYRLCswqEQK54wCgmZZmE/hPJgUxvOcFLGOBK8/KESAAn2qe RO3IRm0crjfC2wgHTgJ3390A =u+ON -----END PGP SIGNATURE-----
