I. BACKGROUND
The SolarWinds TFTP Server has the ability to send and receive multiple files concurrently. This TFTP Server is commonly used to upload/download executable images and configurations to routers, switches, hubs, XTerminals, etc. The software is freely available from http://support.solarwinds.net/updates/New-customerFree.cfm and
also included in the Standard, Professional, and Professional PLus Editions of SolarWinds Network Management Tools.
II. DESCRIPTIONSolarWinds.net's TFTP Server is susceptible to a folder traversal attack allowing attackers to retrieve any file from the application. This vulnerability is often found due to a common programming error in the handling of file paths. The process is best explained with an example:
tftp target.server GET a\..\..\winnt\repair\sam
The above example will retrieve the Windows NT SAM file from the target server as the file request is translated to:
C:\TFTP-ROOT\a\..\..\winnt\repair\sam
Where TFTP-ROOT is the default installed root directory.
III. ANALYSISSuccessful exploitation of this vulnerability provides attackers with access to any file on the target system. It is possible for this attack to lead to further compromise if for example the Windows NT SAM file was retrieved. SolarWinds TFTP Server is a free,
multi-threaded TFTP server with security. More information about this application can be found at
http://www.solarwinds.net/Tools/Free_tools/TFTP_Server/.
IV. DETECTION
iDEFENSE has verified the existence of this vulnerability in the latest version of SolarWinds TFTP Server (v5.0.55). It is suspected that earlier versions are vulnerable as well. A specific implementation's susceptibility can be determined by experimenting
with the above-described specifics.
V. WORKAROUND
It is suggested that file transmittals be disabled if they are not required. This can be accomplished by selecting the "Receive only" radio button under the "File\Configure\Security" tab of the application. A firewall that restricts access to the application to only trusted sources could also help mitigate the attack.
Additionally, version 5.0.60 or later of the SolarWinds TFTP Server does not have this vulnerability.
VI. VENDOR FIX/RESPONSE
This problem has been resolved in all versions of the SolarWinds TFTP Server that are version 5.0.60 or later. Updated versions of all SolarWinds Tools are now available from http://www.solarwinds.net
VII. CVE INFORMATIONThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1209 to this issue.
VIII. DISCLOSURE TIMELINE
| 09/22/2002 |
Issue disclosed to iDEFENSE |
| 10/14/2002 |
Solarwinds.net notified |
| 10/14/2002 |
iDEFENSE clients notified |
| 10/14/2002 |
Response received from Josh Stevens (josh@solarwinds.net) |
| 10/14/2002 |
Vendor fix made available |
| 10/24/2002 |
Coordinated public disclosure |
IX. CREDITMatthew Murphy (mattmurphy@kc.rr.com) is credited with discovering this vulnerability.
