cbcvebase.
CVE-2008-1117
published 2008-03-14

CVE-2008-1117: Directory traversal vulnerability in the Notes (aka Flash Notes or instant messages) feature in tb2ftp.dll in Timbuktu Pro 8.6.5 for Windows, and possibly 8.7…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.47%
99.3th percentile
Directory traversal vulnerability in the Notes (aka Flash Notes or instant messages) feature in tb2ftp.dll in Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, allows remote attackers to upload files to arbitrary locations via a destination filename with a \ (backslash) character followed by ../ (dot dot slash) sequences. NOTE: this can be leveraged for code execution by writing to a Startup folder. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-4220.

Affected

1 ranges
VendorProductVersion rangeFixed in
netopiatimbuktu_pro

Detection & IOCsextracted from sources · hover to see the quote

port407/tcp
filenametb2ftp.dll
bytes
\x00\x01\x60\x00\x00\x52\x00\x25\x00\x22\x02\x01\x00\x04\x03\x07\x00\x05\x00\x01\x00\x00\x00\xf1
bytes
\x00\x01\x6B\x00\x00\xB0\x00\x23\x07\x22\x03\x07\xD6\x69\x6D\x3B
bytes
\xFB\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xC2\x32\x94
bytes
\xfb\x00\x00\x00\x00BINAmdos\xc2\x12\x49\xaf\xbd\x35\xac\x98
  • Monitor TCP/407 for the Timbuktu Pro Notes protocol handshake byte sequences (0x00 0x01 0x60/0x61/0x62/0x6B opcodes) as indicators of exploit attempts.
  • Alert on file creation events in Windows Startup folders (e.g., 'Documents and Settings\All Users\Start Menu\Programs\Startup\') by the Timbuktu Pro process, as exploitation leverages this for code execution.
  • Inspect Timbuktu Pro Notes attachment-info packets (starting with 0xFB) on TCP/407 for filename fields containing path traversal sequences ('../' or '..\'). The attach_info packet embeds the destination filename as a Pascal-style length-prefixed string.
  • Log injection: monitor Timbuktu Pro log files for CRLF (\r\n) sequences embedded in peer hostname or username fields, indicating log-forging attempts via the Notes peer-info exchange packet.
  • ·This vulnerability is reported as an incomplete fix for CVE-2007-4220; environments that applied the prior patch may still be vulnerable.
  • ·The vulnerability affects both Windows (8.6.5) and possibly Mac OS X (8.7); detections focused solely on Windows tb2ftp.dll may miss Mac OS X exposure.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.