// back

Directory Traversal in SolarWinds TFTP Server

10.24.02

BACKGROUND

The SolarWinds TFTP Server has the ability to send and receive multiple files concurrently. This TFTP Server is commonly used to upload/download executable images and  configurations to routers, switches, hubs, XTerminals, etc.  The software is freely available from http://support.solarwinds.net/updates/New-customerFree.cfm and
also included in the Standard, Professional, and Professional PLus Editions of SolarWinds Network Management Tools.

DESCRIPTION

SolarWinds.net's TFTP Server is susceptible to a folder traversal attack allowing attackers to retrieve any file from the application. This vulnerability is often found due to a common programming error in the handling of file paths. The process is best explained with an example:

tftp target.server GET a....winntrepairsam

The above example will retrieve the Windows NT SAM file from the target server as the file request is translated to:

C:TFTP-ROOTa....winntrepairsam

Where TFTP-ROOT is the default installed root directory. 

ANALYSIS

Successful exploitation of this vulnerability provides attackers with access to any file on the target system. It is possible for this attack to lead to further compromise if for example the Windows NT SAM file was retrieved. SolarWinds TFTP Server is a free,
multi-threaded TFTP server with security. More information about this application can be found at http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/.

DETECTION

iDEFENSE has verified the existence of this vulnerability in the latest version of SolarWinds TFTP Server (v5.0.55). It is suspected that earlier versions are vulnerable as well. A specific implementation's susceptibility can be determined by experimenting
with the above-described specifics.

WORKAROUND

It is suggested that file transmittals be disabled if they are not required. This can be accomplished by selecting the "Receive only" radio button under the "FileConfigureSecurity" tab of the application. A firewall that restricts access to the application to only trusted sources could also help mitigate the attack.

Additionally, version 5.0.60 or later of the SolarWinds TFTP Server does not have this vulnerability.

VENDOR RESPONSE

This problem has been resolved in all versions of the SolarWinds TFTP Server that are version 5.0.60 or later.  Updated versions of all SolarWinds Tools are now available from http://www.solarwinds.net

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1209 to this issue.

DISCLOSURE TIMELINE

09/22/2002 Issue disclosed to iDEFENSE
10/14/2002 Solarwinds.net notified
10/14/2002 iDEFENSE clients notified
10/14/2002 Response received from Josh Stevens (josh@solarwinds.net)
10/14/2002 Vendor fix made available
10/24/2002 Coordinated public disclosure

CREDIT

Matthew Murphy (mattmurphy@kc.rr.com) is credited with discovering this vulnerability.