[Bug 4874] New: tftpd allows to download files outside from specified tftp directory

bugzilla at busybox.net bugzilla at busybox.net
Tue Mar 6 22:48:02 UTC 2012


https://bugs.busybox.net/show_bug.cgi?id=4874

           Summary: tftpd allows to download files outside from specified
                    tftp directory
           Product: Busybox
           Version: 1.19.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: Networking
        AssignedTo: unassigned at busybox.net
        ReportedBy: railmak at gmail.com
                CC: busybox-cvs at busybox.net
   Estimated Hours: 0.0


Hi,

I was testing pxe network boot and I used udhcpd and tftpd functions of
busybox.
I found some strange behavior of tftpd function.

I have got vmlinuz, initrd files inside /boot directory so I have started tftpd
in following way:

busybox udpsvd -vE 0.0.0.0 69 tftpd  /boot


When I requested vmlinuz I received /boot/vmlinuz and this is ok.
When I requested /vmlinuz I received info 'can't open file'. After some time I
figure out that this is because tftpd is not searching /vmlinuz in /boot
directory but in root /.

I would expect that all tftp attempts with absolute path will be translated to
tftpd dir (/vmlinuz -> /boot/vmlinuz in this case) or reported as not correct
if requested file is not in subdir of tftpd dir. Instead of this anyone can
access and download any files from root file system including passwd, shadow:

Server:
busybox udpsvd -vE 0.0.0.0 69 tftpd  /boot

Client:
root at debian:/tmp# busybox tftp -g -r /etc/shadow localhost
/etc/shadow          100% |*******************************|  1242   0:00:00 ETA


>From my point of view this not correct.


Thanks in advance for Your help.
MAK

-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the busybox-cvs mailing list