Vulnerability Research Team Advisories

Title: DDIVRT-2012-45 SolarWinds Network Performance Monitor Blind SQL Injection

Severity: High

Date Discovered: April 26, 2012

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description: The SolarWinds Orion Network Performance Monitor 9.1 and prior contains a blind SQL injection flaw on the 'Login.asp' page. An attacker can leverage this flaw to execute arbitrary SQL commands and extract sensitive information from the backend database using standard blind SQL injection exploitation techniques.

This vulnerability applies to installations that have been upgraded from version 9.1 or prior. Fresh installations and migrations starting with version 9.5 do not contain this vulnerability.

Solution Description: SolarWinds has addressed the issue in releases subsequent to and including version 9.5 and has provided the following options to resolve the issue:

1. Upgrade to the latest version of Network Performance Monitor.
2. Manually delete the 'Login.asp' page from the vulnerable installation – the vulnerable page has not been used for several versions but does not get removed through the application of upgrades.

Please contact SolarWinds support for assistance in addressing the issue.

Tested Systems / Software (with versions):

SolarWinds Orion Network Performance Monitor 9.1

Vendor Contact: SolarWinds

Website: http://www.solarwinds.com/

Title: DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal

Severity: High

Date Discovered: March 8, 2012

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: shmoov and r@b13$

Vulnerability Description: The ACTi Web Configurator 3.0 for ACTi IP Surveillance Cameras contains a directory traversal vulnerability within the cgi-bin directory. An unauthenticated remote attacker can use this vulnerability to retrieve arbitrary files that are located outside the root of the web server.

Solution Description: The production of the cameras employing this version of the ACTi Web Configurator have been discontinued. However, a firmware upgrade which addresses the issue is available for download from the ACTi support team. Please contact the ACTi support team to retrieve the firmware upgrade and instructions on how to apply the changes.

Tested Systems / Software (with versions):

ACTi Web Configurator 3.0 - camera version unknown

Vendor Contact: ACTi Corporation | http://www.acti.com/corporate/Brief.asp

Website: http://www.acti.com/home/index.asp

Title: DDIVRT-2012-40 PacketVideo TwonkyServer and TwonkyMedia Directory Traversal

Severity: High

Date Discovered: March 12, 2012

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description: Multiple PacketVideo products contain a directory traversal vulnerability within the web server that is running on port 9000. These products are vulnerable to the attack regardless of having configured the "Secured Server Settings" which are available on the Advanced configuration page. Susceptible products include the Twonky 7.0 Special and the TwonkyManager 3.0.

An unauthenticated remote attacker can use this vulnerability to retrieve arbitrary files that are located outside the root of the web server.

Solution Description: PacketVideo has addressed the issue. Contact the vendor for the software update.

Tested Systems / Software (with versions):

Twonky 7.0 Special on Windows Vista
TwonkyManager 3.0 on Windows Vista

Vendor Contact: PacketVideo Corporation | http://www.pv.com/

Website: http://twonky.com/

Title: DDIVRT-2011-39 SolarWinds Storage Manager Server SQL Injection Authentication Bypass

Severity: High

Date Discovered: December 7, 2011

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description: The 'LoginServlet' page on port 9000 of the SolarWinds Storage Manager Server is vulnerable to a SQL injection within the 'loginName' field. An attacker can leverage this flaw to bypass authentication to the Storage Manager application or to execute arbitrary SQL commands and extract sensitive information from the backend database using standard SQL exploitation techniques. Additionally, an attacker may be able to leverage this flaw to compromise the database server host operating system.

Solution Description: SolarWinds has not yet provided a patch to address the issue. Digital Defense, Inc. recommends restricting access to the affected port until an update has been produced by the vendor.

Tested Systems / Software (with versions):

32-bit SolarWinds Storage Manager Server version 5.1.2 on Windows 2003

Vendor Contact: SolarWinds

Website: http://www.solarwinds.com/

Title: DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection

Severity: High

Date Discovered: November 18, 2011

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$

Vulnerability Description: The KnowledgeTree login.php login page is vulnerable to a blind SQL injection vulnerability within the username field. An attacker can leverage this flaw to execute arbitrary SQL commands and extract sensitive information from the backend database using standard blind SQL exploitation techniques. Additionally, an attacker may be able to leverage this flaw to compromise the database server host OS.

Solution Description: KnowledgeTree has released a patch which addresses the issue. The new source is available at: http://wiki.knowledgetree.org/Security_advisory:_KnowledgeTree_login.php_Blind_SQL_Injection

Tested Systems / Software (with versions):

KnowledgeTree Version 3.7.0.2 (community edition)

Vendor Contact: KnowledgeTree, Inc.

Website: http://www.knowledgetree.com/

Title: DDIVRT-2011-37 HP JetDirect Device Page Directory Traversal

Severity: High

Date Discovered: October 12, 2011

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$

Vulnerability Description: The HP-ChaiSOE/1.0 embedded web server on certain HP JetDirect printers allows a potential attacker to gain read only access to directories and files outside of the web root, different from CVE-2008-4419.  An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc. Information obtained from an affected host may facilitate further attacks against the host.  Exploitation of this flaw is trivial using common web server directory traversal techniques.

Solution Description: At this time, the vendor has not yet released a patch for this vulnerability.  As a work around, Digital Defense, Inc. recommends restricting access to the HP JetDirect web administration interface to authorized hosts only.

Tested Systems / Software (with versions):

HP LaserJet 4650
Current Firmware:  20070419 07.006.0

HP LaserJet P3015
Current Firmware: 20100518 07.050.8  (Outdated)

HP LaserJet 2430
Current Firmware: 20090624 08.113.0_I35128

Vendor Contact: HP

Website: http://www.hp.com/

Title: DDIVRT-2011-36 Cybele Software, Inc. ThinVNC Product Suite Arbitrary File Retrieval

Severity: High

Date Discovered: September 6th, 2011

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description: Multiple Cybele Software, Inc. products are vulnerable to arbitrary file retrieval and directory traversal vulnerabilities including ThinVNC, ThinRDP, and ThinVNC Access Point 2.0. An unauthenticated remote attacker can submit requests for files that are located outside the root of the web server that is distributed with these Cybele Software, Inc. products.

Solution Description: Cybele Software, Inc. has released a patch for the vulnerability which is available for download from the http://www.thinvnc.com/ website.

Tested Systems / Software (with versions):

ThinVNC 2.0.0.1
ThinRDP 1.0.0.33
ThinVNC Access Point 2.0.0.1

Vendor Contact: Cybele Software, Inc.

Website: http://www.thinvnc.com/

Title: DDIVRT-2011-35 Cisco Unified Contact Center Express Directory Traversal [CVE-2011-3315]

Severity: High

Date Discovered: August 9, 2011

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description: The default deployment of Cisco Unified Contact Center Express (UCCX) system is configured with multiple listening services. The web service that is listening on TCP port 9080, or on TCP port 8080 in versions prior to 8.0(x), serves a directory which is configured in a way that allows for a remote unauthenticated attacker to retrieve arbitrary files from the UCCX root filesystem through a directory traversal attack. It is possible for an attacker to use this vector to gain console access to the vulnerable node as the 'ccxcluster' user, and subsequently escalate privileges.

Solution Description: Cisco has released a patch for this vulnerability. Information regarding the software update which addresses this issue is available at:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx

Tested Systems / Software (with versions):

Cisco Unified Contact Center Express (UCCX) versions: 8.5(x), 8.0(x), 7.0(x), 6.0(x)
Cisco Unified IP Interactive Voice Response (Unified IP-IVR) versions: 8.5(x), 8.0(x), 7.0(x), 6.0(x)

Vendor Contact: Cisco

Website: http://www.cisco.com/

Title: DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal

Severity: High

Date Discovered: August 15, 2011

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Chris Graham and r@b13$

Vulnerability Description: Metropolis Technologies OfficeWatch enables a web server on TCP port 80 that is susceptible to a directory traversal. An attacker may send a ../ (dot-dot-slash) sequence to traverse out of the web root and access arbitrary files on the host.

Solution Description: Until a patch is released by the vendor, it is recommended to restrict access to the web server to authorized hosts only. Access controls can be configured through Windows firewall.

Tested Systems / Software (with versions): Metropolis Technologies OfficeWatch for Windows 2000/XP/2003/Vista Version 2011.06.20

Vendor Contact: Metropolois Technologies

Email: support2011@metropolis.com

Title: DDIVRT-2011-33 IBM WebSphere Application Server 'help' Servlet Plug-in Bundle Directory Traversal [CVE-2011-1359]

Severity: High

Date Discovered: July 28, 2011

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Javier Castro, sxkeebler and r@b13$

Vulnerability Description: The default installation of the IBM WebSphere Application Server is deployed with a 'help' servlet which is designed to serve supporting documentation for the WebSphere system. When the 'help' servlet processes a URL that contains a reference to a Java plug-in Bundle that is registered with the Eclipse Platform Runtime Environment of the WebSphere Application Server, the 'help' servlet fails to ensure that the submitted URL refers to a file that is both located within the web root of the servlet and is of a type that is allowed to be served.

An unauthenticated remote attacker can use this weakness in the 'help' servlet to retrieve arbitrary system files from the host that is running the 'help' servlet. This can be accomplished by submitting a URL which refers to a registered Java plug-in Bundle followed by a relative path to the desired file.

Solution Description: IBM has released a patch for this issue. The patch is available through APAR PM45322.

http://www-01.ibm.com/support/docview.wss?uid=swg21509257

Tested Systems / Software (with versions):

WebSphere Application Server Version 8.0
WebSphere Application Server Version 7.0
WebSphere Application Server Version 6.1

Vendor Contact: IBM

Website: http://www-01.ibm.com/software/webservers/appserv/was/library/

Title: DDIVRT-2011-32 Axway SecureTransport '/icons/' Directory Traversal

Severity: High

Date Discovered: July 15, 2011

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$

Vulnerability Description: The Axway SecureTransport device contains a directory traversal in the '/icons/' directory. An unauthenticated remote attacker can use this vulnerability to obtain arbitrary files from the root file system of the vulnerable host.

Solution Description: Axway Global Support has addressed this vulnerability in package: SecureTransport Server 4.8.2 Patch 12.

Patch download: Axway Customers can download the patch using their support account at https://support.axway.com File Packages: STEE-4_8_2-Patch12-Windows-x86-Build420.jar
MD5 checksum: 0401efe41ee05f2ee25d3adddca113ba
Size: 928753 bytes

See the Patch Readme file which is available on the vendor website for additional information.

Tested Systems / Software (with versions):

DDI tested: Axway SecureTransport 4.8.1
Axway tested: Axway tested all supported platforms for SecureTransport 4.8.x, 4.9.x, 5.0, and 5.1 and determined that the vulnerability only exists on the Windows platform for SecureTransport 4.8.x

Vendor Contact: Axway

Email: support@axway.com
Phone: +1-866-AXWAY-US or
- Go to https://support.axway.com
- Click the "Contact Axway Support" link to display our list of regional support contact phone numbers.

Title: DDIVRT-2010-30 Alcatel-Lucent OmniVista 4760 NMS 'lang' Directory Traversal Vulnerability (CVE-2011-0345)

Severity: High

Date Discovered: October 29th, 2010

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description: The Alcatel-Lucent OmniVista 4760 NMS is vulnerable to a directory traversal. This flaw allows remote unauthenticated attackers to retrieve arbitrary files from a vulnerable system.

Solution Description: Alcatel-Lucent has provided a patch for this vulnerability. The patch is available on the vendor's website. If you are unable to patch the system, mitigate this vulnerability by disabling the service, or restricting access to a local interface or a trusted network via a firewall or other means.

Tested Systems / Software (with versions):

OmniVista 4760 NMS version 5.0.07.05
OmniVista 4760 NMS version 5.1.06.03

Vendor Contact: Alcatel-Lucent - http://www.alcatel-lucent.com/

Title: DDIVRT-2009-28 Sun Solaris 10 rpc.cmsd Buffer Overflow and Denial of Service (CVE-2010-3509)

Severity: High

Date Discovered: November 3, 2009

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Alex Kaszczuk, Alan Chin, Jose R. Hernandez and r@b13$

Vulnerability Description: The rpc.cmsd service contains an integer overflow, which can allow a malicious unauthenticated user to cause a denial of service, or remotely execute arbitrary code with root privileges.

Solution Description: Sun has addressed this vulnerability in Sun bugID 6214701. The patch is available for download through the Oracle October Critical Patch Update (CPU) released on 12 October, 2010.

Tested Systems / Software (with versions): Sun Solaris 10 (10/09 Download)

Vendor Contact: Sun Microsystems - http://www.sun.com/

Title: DDIVRT-2010-29 ALPHA Ethernet Adapter II Web-Manager 3.40.2 Authentication Bypass

Severity: High

Date Discovered: April 30, 2010

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Edward Bullard, James Robertson and r@b13$

Vulnerability Description: This version of Web-Manager contains a vulnerability which an intruder can leverage to gain read and write access to configuration settings through the device's web administration interface, leading to a full host compromise.

Solution Description: No patch is available at this time.

Tested Systems / Software (with versions):

Ubuntu Linux 9.10: Mozilla Firefox 3.5.9
Windows XP Professional Service Pack 3: Windows Internet Explorer 7.0.5730.13, Mozilla Firefox 3.6.3

Vendor Contact: Adaptive Micro Systems Inc. - http://www.adaptivedisplays.com/Default.asp

Title: DDIVRT-2009-22 SMART Board Whiteboard Directory Traversal Vulnerability

Severity: High

Date Discovered: January 19, 2009

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$

Vulnerability Description: A directory traversal condition exists in SMART Web Server whereby arbitrary files may be retrieved from this host's file system. Attackers may leverage this issue to gain access to sensitive information stored on this host.

Solution Description: No patch is available at this time.

Tested Systems / Software (with versions): Windows XP, SMART Board Whiteboard

Vendor Contact: SMART Technologies ULC http://www.smarttech.com/us

Title: DDIVRT-2009-19 HP JetDirect Web Administration Directory Traversal

Severity: High

Date Discovered: October 23, 2008

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Shmoov and r@b13$

Vulnerability Description: The HP-ChaiSOE/1.0 embedded web server on certain HP JetDirect printers allows a potential attacker to gain read only access to directories and files outside of the web root. An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc. Information obtained from an affected host may facilitate further attacks against the host. Exploitation of this flaw is trivial using common web server directory traversal techniques.

Solution Description: The vendor has released an update. See http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905 for more details. Digital Defense, Inc. recommends restricting access to the HP JetDirect web administration interface to authorized hosts only.

Tested Systems / Software (with versions): Embedded web server HP-ChaiSOE/1.0 on:

        HP JetDirect 2420
        HP JetDirect 4250

Vendor Contact: HP http://www.hp.com/

Title: DDIVRT-2008-18 Orb Directory Denial of Service

Severity: High

Date Discovered: October 21, 2008

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r@b13$

Vulnerability Description: Orb Networks' Orb media server is vulnerable to a denial of service condition. Sending malformed http requests may crash the service denying service to legitimate users.

Solution Description: Use firewall rules to restrict access to authorized users of the Orb server.

Tested Systems / Software (with versions): Orb version 2.01.0022 on Windows XP Pro SP2 Orb version 2.01.0017 on Windows XP Pro SP2 Nullsoft Winamp Remote Server Beta (featuring Orb version 2.01.0013) on Windows XP Pro SP2.

Vendor Contact: Orb Networks, www.orb.com

Title: DDIVRT-2008-17 Orb Directory Traversal

Severity: High

Date Discovered: October 21, 2008

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r@b13$

Vulnerability Description: Orb Networks' Orb media server is vulnerable to directory traversal attacks. Users can leverage specially crafted GET requests to read arbitrary files.

Solution Description: Use firewall rules to restrict access to authorized users of the Orb server. This issue is fixed in version 2.01.0022 available at http://www.orb.com/download/us/setup_2.01.0022.exe.

Tested Systems / Software (with versions): Orb version 2.01.0017 on Windows XP Pro SP2 Nullsoft Winamp Remote Server Beta (featuring Orb version 2.01.0013) on Windows XP Pro SP2.

Vendor Contact: Orb Networks, www.orb.com

Title: DDIVRT-2008-15 iPhone Configuration Web Utility 1.0 for Windows Directory Traversal

Severity: High

Date Discovered: October 2, 2008

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Corey LeBleu and r@b13$

Vulnerability Description: The iPhone Configuration Web Utility allows centralized management of iPhone configuration settings. The iPhone Configuration Web Utility 1.0 for Windows web interface is vulnerable to a common web directory traversal attack. Successful exploitation will result in arbitrary read-only file access outside of the iPhone Configuration Web Utility 1.0 web root.

Solution Description: Filter network traffic so that only trusted users can access the web interface.

Tested Systems / Software (with versions): Windows XP Professional iPhone Configuration Web Utility 1.0 for Windows

Vendor Contact: Apple Inc., www.apple.com

Title: DDIVRT-2008-12 ServerView SnmpGetMibValues.exe Buffer Overflow

Severity: High

Date Discovered: May 1, 2008

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James, Mike James and r@b13$

Vulnerability Description: ServerView is a server management suite. Several buffer overflow conditions exist in remotely-accessible portions of the suite. Authenticated users (by default, all users) can cause a stack overflow by sending a specially-crafted URL to the ServerView web interface.

Solution Description: Authenticate remote users who use the web interface to minimize potential malicious users.

Tested Systems / Software (with versions): ServerView 04.60.07 was tested on Windows XP. Other versions are assumed to be vulnerable.

As of yet, a patch has not been issued by the vendor.

Vendor Contact: Fujitsu Siemens, www.fujitsu-siemens.com/

Title:DDIVRT-2008-10 PacketTrap PT360 Tool Suite TFTP Arbitrary File Access

Severity: High

Date discovered: January 29, 2008

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: princeofnigeria and r@b13$

Vulnerability Description: The default installation of the PacketTrap PT360 Tool Suite Version 1.1.33.1.0 TFTP server component is susceptible to directory traversal attack. A remote or local attacker can exploit this flaw to retrieve arbitrary files outside of the TFTP server root directory. This vulnerability also allows a remote attacker to overwrite and modify system files which could facilitate a full system compromise.

Solution Description: PacketTrap Networks, Inc. released a patch (#3302) for this flaw on February 29, 2008

Tested Systems / Software (with versions): Windows XP Professional Service Pack 2, PacketTrap PT360 Tool Suite Version 1.1.33.1.0.
Other versions may be vulnerable to this flaw.

Vendor Contact: PacketTrap Networks, Inc., www.packettrap.com, sales@packettrap.com, support@packettrap.com, info@packettrap.com

Title: Title: DDIVRT-2007-7 Job File Scheduler Authentication Bypass

Severity: Severity: High

Date Discovered: Date Discovered: November 14th, 2007

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Michael Sunderland

Vulnerability Description: The Job File Scheduler web application is vulnerable to an authentication bypass through SQL injection. Successful exploitation of this vulnerability allows administrative level access to the web application with the ability to make modifications to the configuration of the application and all scheduled jobs. Due to the sensitivity of the data handled through this application, the extent of the compromise could result in the disclosure of personal information such as names, addresses, financial account numbers, SSN, etc.

Solution Description: Digital Defense, Inc. initially notified Trust Data Solutions, LLC on November 28, 2007 and received confirmation from the notification on the same day. Trust Data Solutions, LLC informed DDI that this flaw had previously been identified internally. Special thanks to Trust Data Solutions, LLC for their willingness to work with the DDI VRT staff.

Due to the fact that Trust Data Solutions, LLC does not offer automated patching, it is necessary to contact Trust Data Solutions, LLC specifically concerning the SQL injection flaw in order to obtain the fix.

Tested Systems / Software (with versions): Red Hat Linux / Apache v2.0.52 / Job File Scheduler v2.0 Other versions may be vulnerable to this flaw.

Vendor Contact: Trust Data Solutions, LLC, http://www.trustdatasolutions.com/, Email: support@trustdatasolutions.com

Title: DDIVRT-2007-6 Sentinel Protection Server Directory Traversal

Severity: High

Date discovered: October 10, 2007

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Corey LeBleu

Vulnerability Description: A classic directory traversal condition exists within the Sentinel Protection Server. By sending in an HTTP GET request with a path of a file proceeded by and escaped traversal sequence, an attacker can leverage an arbitrary file access condition on the affected system

Solution Description: Digital Defense, Inc. initially notified SafeNet on October 12, 2007 and received confirmation from the notification on October 30, 2007.
SafeNet informed DDI that it would be releasing a patch for this flaw on November 16, 2007. At this time, DDI does not have a resolution number for the SafeNet patch for this flaw.

Tested Systems / Software (with versions): Sentinel Protection Server 7.1
ther versions may be vulnerable to this flaw.

Vendor Contact: SafeNet, www.safenet-inc.com

Title: DDIVRT-2007-4 NetSupport Manager Authentication Bypass

Severity: High

Date discovered: September 4, 2007

Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13s

Vulnerability Description: The NetSupport Manager client that listens on TCP port 5405 does not properly handle authentication sessions. It is possible to pose as the NetSupport Manager, associate to a client, and then issue commands without performing the authentication sequence. Both the basic and advanced authentication schemes can be bypassed in the same manner. When properly exploited, this flaw will results in a complete compromise of the target system.

Solution Description: Digital Defense, Inc. notified NetSupport on September 9, 2007 of this flaw but did not receive any response or acknowledgement from the vendor. However, NetSupport has released a patch for this flaw as described by NetSupport Technical Document ID TD543.

Tested Systems / Software (with versions): NetSupport Manager 10.20 running on Windows XP SP2 and Windows 2K3 SP2. NetSupport acknowledges in Technical Document ID TD543 that the following versions of the NetSupport Manager are vulnerable to this flaw: SM 5.00, NSM 5.01, NSM 5.02, NSM 5.02f1, NSM 5.03, NSM 5.05, NSM 5.30, NSM 5.31, NSM 6.00, NSM 6.10, NSM 6.11, NSM 7.01, NSM 7.10, NSM 8.00, NSM 8.10, NSM 9.00, NSM 8.50, NSM 8.60, NSM 9.10, NSM 9.50, NSM 9.60, NSM 10.00, NSM 10.20

Vendor Contact: NetSupport, http://www.netsupport-inc.com/

Title: TFTPdWin 0.4.2 Server Directory Traversal Vulnerability

Severity: High

Date Discovered: March 15, 2007

Discovered by: Digital Defense, Inc. Vulnerability Research Team

Vulnerability Description: The version of TFTPdWin contains a vulnerability that allows a potential intruder to gain read and write access to directories and files outside of the TFTP root. Successful exploitation of this vulnerability may also allow a remote, unauthenticated attacker to overwrite and modify system files, which could facilitate the execution of arbitrary code, the result of which could ultimately lead to a full system compromise.

Solution Description: No patch is available at this time.

Tested Systems / Software (with versions): Windows XP Professional Service Pack 2, TFTPdWin version 0.4.2. Other versions may be vulnerable.

Vendor Contact: ProSysInfo, www.prosysinfo.webpark.pl