Advisory: Open TFTP Server V1.66 Privilege Escalation (CVE-2020-26130)
Summary
Product: Open TFTP Server
Affected version: V1.66
Vendor: Achal Dhir
Fixed Version: No response from vendor
Tested versions:
- Open TFTP Server multithreaded - V1.66
- Open TFTP Server single port - V1.66
CVE Reference: CVE-2020-26130
CWE Reference: CWE-269
Problem Description
The folder permissions on the default installation directory %SYSTEMDRIVE%\OpenTFTPServer\ allows anyone in the "Authenticated Users" group to modify its contents. To exploit this vulnerability, a local attacker can replace OpenTFTPServerMT.exe (multithreaded) or the OpenTFTPServerSP.exe (single port) with a crafted binary with the same name. Afterwards, if the service is restarted, the attacker's code will be executed in the context of system. The service gets automatically started after a reboot.
Impact
By replacing the binary an attacker can execute code, allowing potential privilege escalation to system.
Workaround
It is advised to change the installation directory to %SYSTEMDRIVE%\Program Files\ or %SYSTEMDRIVE%\Program Files(x86)\. By default, these directories allow "Authenticated Users" to only read and execute the directory contents.
Notes
The issue was reported to the vendor, but there was no response.
Disclosure Timeline
2020-07-28: Vulnerability discovered
2020-07-28: Vulnerability reported to vendor via a Sourceforge message
2020-09-29: CVE reserved
2020-10-26: 90-day disclosure deadline passed
2020-10-28: Published advisory
References
https://sourceforge.net/projects/tftp-server/
Changes
2020-11-30: Corrected CWE
EOF