|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3758 CVE : CVE-2008-1410 CVE : CVE-2008-1411 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : No Credit : Luigi Auriemma Published : 20.03.2008
Advisory Text : ####################################################################### Luigi Auriemma Application: Acronis PXE Server http://www.acronis.com/enterprise/products/snapdeploy/ Versions: <= 2.0.0.1076 Platforms: Windows Bugs: A] directory traversal B] NULL pointer Exploitation: remote Date: 08 Mar 2008 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Acronis PXE Server is an essential component of Acronis Snap Deploy Server, a deployment solution for automatically configuring all the clients of the local network. ####################################################################### ======= 2) Bugs ======= ---------------------- A] directory traversal ---------------------- The PXE Server (pxesrv.exe) implements a TFTP server for allowing the downloading of the bootstrap files (uploading is not allowed). This service is vulnerable to a classical directory traversal and an arbitrary path attacks which allow an attacker to download any file from the local disks or the network shares. --------------- B] NULL pointer --------------- An incomplete TFTP request (anything which goes from the simple absence of the option field to the usage of only the 2 bytes for the opcode) causes the crashing of the PXE Server due to a NULL pointer access. ####################################################################### =========== 3) The Code =========== A] http://aluigi.org/testz/tftpx.zip tftpx SERVER ..../..../boot.ini none tftpx SERVER c:boot.ini none tftpx SERVER \internal_hostdocumentsfile.txt none B] send the bytes 00 01 to UDP port 69 of the server: echo -n -e x00x01|nc SERVER 69 -v -v -u ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |