The SolarWinds TFTP Server has the ability to send and receive multiple files concurrently. This TFTP Server is commonly used to upload/download executable images and configurations to routers, switches, hubs, XTerminals, etc. The software is freely available from http://support.solarwinds.net/updates/New-customerFree.cfm and also included in the Standard, Professional, and Professional Plus Editions of SolarWinds Network Management Tools. A vulnerability in the product allows remote attacker to download files off the TFTP Server by using directory traversal techniques.
Vulnerable systems:
* SolarWinds TFTP Server version 5.0.55 and prior
Immune systems:
* SolarWinds TFTP Server version 5.0.60
SolarWinds.net's TFTP Server is susceptible to a folder traversal attack allowing attackers to retrieve any file from the application. This vulnerability is often found due to a common programming error in the handling of file paths. The process is best explained with an example:
tftp target.server GET a\..\..\winnt\repair\sam
The above example will retrieve the Windows NT SAM file from the target server as the file request is translated to:
C:\TFTP-ROOT\a\..\..\winnt\repair\sam
Where TFTP-ROOT is the default installed root directory.
Analysis:
Successful exploitation of this vulnerability provides attackers with access to any file on the target system. It is possible for this attack to lead to further compromise if for example the Windows NT SAM file was retrieved.
Workaround:
It is suggested that file transmittals be disabled if they are not required. This can be accomplished by selecting the "Receive only" radio button under the "File\Configure\Security" tab of the application. A firewall that restricts access to the application to only trusted sources could also help mitigate the attack.
Additionally, version 5.0.60 or later of the SolarWinds TFTP Server does not have this vulnerability.
Vendor response and fix:
This problem has been resolved in all versions of the SolarWinds TFTP Server that are version 5.0.60 or later. Updated versions of all SolarWinds Tools are now available from http://www.solarwinds.net.
Disclosure Timeline:
09/22/2002 Issue disclosed to iDEFENSE
10/14/2002 Solarwinds.net notified
10/14/2002 iDEFENSE clients notified
10/14/2002 Response received from Josh Stevens (josh@solarwinds.net)
10/14/2002 Vendor fix made available
10/24/2002 Coordinated public disclosure
