####################################################################### Luigi Auriemma Application: Chesapeake TFTP Server http://www.netcordia.com/tools/tools/TrivialFTP/tftp.html Versions: 1.0 Platforms: any supported by Java Bugs: A] directory traversal B] Denial of Service Exploitation: remote Date: 30 October 2004 Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Chesapeake TFTP Server is (was) a server written in Java some years ago from the Chesapeake developers (now Netcordia). ####################################################################### ======= 2) Bugs ======= ---------------------- A] directory traversal ---------------------- The server is vulnerable to a classical directory traversal bug happening when an attacker uses the dot-dot-slash/backslash pattern letting him to upload or download files everywhere in the disk on which is set the base file directory. -------------------- B] Denial of Service -------------------- The server stops to respond to the clients requests if receives an UDP packet bigger than 514 bytes. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/testz/tftpx.zip A] tftpx server ../secret.txt secret.txt tftpx -u server ..\..\windows\calc.exe evil.exe B] tftpx -f server 508 none ####################################################################### ====== 4) Fix ====== No fix. This program is no longer supported. #######################################################################