Critical update of WinAgents TFTP Server


A new version of WinAgents TFTP Server is available from August 18, 2005. The current version has a number of important updates that increase the safety of your server.

We do all we can to make our software meet all possible requirements of safety and reliability. However, on August 18, 2005 we received a notice from the Rapid7 company ( telling about a vulnerability in WinAgents TFTP Server version 3.1. The vulnerability allows an intruder to get access to files outside the root directory of TFTP. Below you can see the entire text of the message reporting about the vulnerability.

WinAgents Software Group has released an update of WinAgents TFTP Server that doesn't have this vulnerability. You can download the updated version from our site: We strongly recommend that you should install this update to increase the security of your server. This update is free for all registered users.

Please accept our sincere apologies about the inconvenience.

Rapid7 Security Advisory R7-0020 
Directory traversal vulnerability in WinAgents TFTP Server for Windows 

   Date:  August 17, 2005 
   Revision:   0.1 PRE-RELEAESE 

   NOTE: This advisory contains unpublished, confidential information. 

   Rapid7 will publish this advisory on Monday, Sept. 19, 2005 or when 
   updated software is released by WinAgents, whichever comes first. 

1. Affected system(s): 

    o WinAgents TFTP Server for Windows 
       v3.0 and earlier 

2. Summary 

   Rapid7 has found a directory traversal vulnerability in WinAgents 
   TFTP Server for Windows.  This vulnerability allows remote users to 
   download any files outside of the server's TFTP data directory. 

3. Vendor status and information 

   WinAgents Software Group 

      Vendor was notified on August 18, 2005. 

4. Solution 


5. Detailed analysis 

   TFTP servers are often used to transfer configuration files and 
   operating system images to routers.  TFTP is also used for devices 
   that support PXE booting. 

   Most implementations do trivial filtering on requested filenames 
   such as "../filename" to prevent easy directory traversal. 
   However, it is easy to bypass this filtering by manipulating the 
   filename being requested. 

   With the WinAgents TFTP server, any file on the system can be 
   downloaded using a request similar to the following: 

      $ tftp 
      tftp> get .../WINNT/win.ini 
      Received 582 bytes in 0.1 seconds 
      tftp> quit 

      $ cat win.ini 
      ; for 16-bit app support 
      [mci extensions] 

6. Contact Information 

   Rapid7 Security Advisories 
   Phone:   +1 (310) 316-1235 

7. Disclaimer and Copyright 

   Rapid7, LLC. is not responsible for the misuse of the information 
   provided in our security advisories. These advisories are a service 
   to the professional security community.  There are NO WARRANTIES 
   with regard to this information. Any application or distribution of 
   this information constitutes acceptance AS IS, at the user's own 
   risk.  This information is subject to change without notice. 

   This advisory Copyright (C) 2005 Rapid7, LLC.  Permission is 
   hereby granted to redistribute this advisory, providing that no 
   changes are made and that the copyright notices and disclaimers 
   remain intact.

Back to the news list

Copyright © 1999-2019 Tandem Systems, Ltd. All rigts reserved.