cbcvebase.
CVE-2012-6664
published 2024-06-21

CVE-2012-6664: Multiple directory traversal vulnerabilities in the TFTP Server in Distinct Intranet Servers 3.10 and earlier allow remote attackers to read or write arbitrary…

PriorityP275critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
29.54%
98.0th percentile
Multiple directory traversal vulnerabilities in the TFTP Server in Distinct Intranet Servers 3.10 and earlier allow remote attackers to read or write arbitrary files via a .. (dot dot) in the (1) get or (2) put commands.

Detection & IOCsextracted from sources · hover to see the quote

port69/UDP (TFTP)
path..\..\..\..\..\..\..\..\..\..\WINDOWS\system32\<random>.exe
path..\..\..\..\..\..\..\..\..\..\WINDOWS\system32\wbem\mof\<random>.mof
commandTFTP put with ../ traversal sequence
  • Detect TFTP write requests (WRQ opcode) containing '../' or '..\' directory traversal sequences in the filename field, particularly targeting WINDOWS\system32\ or WINDOWS\system32\wbem\mof\ paths.
  • Alert on .mof files written via TFTP to the wbem\mof\ directory, as this is the WbemExec technique used to achieve SYSTEM-level code execution.
  • The exploit uses a traversal depth of 10 levels by default ("../" * 10), so TFTP filenames beginning with 10 or more consecutive '../' sequences should be flagged as highly suspicious.
  • The exploit source client port is randomized above 1025 (LocalPort => 1025 + rand(0xffff-1025)); however, the destination is always UDP/69. Monitor all inbound TFTP WRQ packets to UDP/69 on Distinct TFTP servers for traversal strings.
  • Resulting code execution runs under SYSTEM context; correlate unexpected child processes of WMI (wmiprvse.exe or mofcomp.exe) spawning shortly after TFTP file writes as a post-exploitation indicator.
  • ·The exploit has only been tested against Distinct TFTP Server 3.10 on Windows XP SP3 (EN); effectiveness against other Windows versions or service packs is unconfirmed.
  • ·The traversal depth is configurable (DEPTH option, default 10); defenders should account for varying numbers of '../' repetitions, not just the default depth of 10.
  • ·The payload is transferred in 'octet' (binary) mode; TFTP inspection must handle binary mode transfers to detect the traversal, not just netascii mode.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.