CVE-2012-6664
published 2024-06-21CVE-2012-6664: Multiple directory traversal vulnerabilities in the TFTP Server in Distinct Intranet Servers 3.10 and earlier allow remote attackers to read or write arbitrary…
PriorityP275critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
29.54%
98.0th percentile
Multiple directory traversal vulnerabilities in the TFTP Server in Distinct Intranet Servers 3.10 and earlier allow remote attackers to read or write arbitrary files via a .. (dot dot) in the (1) get or (2) put commands.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect TFTP write requests (WRQ opcode) containing '../' or '..\' directory traversal sequences in the filename field, particularly targeting WINDOWS\system32\ or WINDOWS\system32\wbem\mof\ paths. ↗
- →Alert on .mof files written via TFTP to the wbem\mof\ directory, as this is the WbemExec technique used to achieve SYSTEM-level code execution. ↗
- →The exploit uses a traversal depth of 10 levels by default ("../" * 10), so TFTP filenames beginning with 10 or more consecutive '../' sequences should be flagged as highly suspicious. ↗
- →The exploit source client port is randomized above 1025 (LocalPort => 1025 + rand(0xffff-1025)); however, the destination is always UDP/69. Monitor all inbound TFTP WRQ packets to UDP/69 on Distinct TFTP servers for traversal strings. ↗
- →Resulting code execution runs under SYSTEM context; correlate unexpected child processes of WMI (wmiprvse.exe or mofcomp.exe) spawning shortly after TFTP file writes as a post-exploitation indicator. ↗
- ·The exploit has only been tested against Distinct TFTP Server 3.10 on Windows XP SP3 (EN); effectiveness against other Windows versions or service packs is unconfirmed. ↗
- ·The traversal depth is configurable (DEPTH option, default 10); defenders should account for varying numbers of '../' repetitions, not just the default depth of 10. ↗
- ·The payload is transferred in 'octet' (binary) mode; TFTP inspection must handle binary mode transfers to detect the traversal, not just netascii mode. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)
exploitdb·2012-04-08
CVE-2012-6664 Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)
Distinct TFTP 3.10 - Writable Directory Traversal Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule "Distinct TFTP 3.10 Writable Directory Traversal Execution",
'Description' => %q{
This module exploits a vulnerability found in Distinct TFTP server. The
software contains a directory traversal vulnerability that allows a remote
attacker to write arbitrary file to the file system, which results in
code execution under the context of 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'modpr0be', #Initial discovery, PoC (Tom Gregory)
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '80984'],
['EDB', '18718'],
['URL', 'http://www.sp
Metasploit
Distinct TFTP 3.10 Writable Directory Traversal Execution
metasploit
Distinct TFTP 3.10 Writable Directory Traversal Execution
Distinct TFTP 3.10 Writable Directory Traversal Execution
This module exploits a directory traversal vulnerability in the TFTP Server component of Distinct Intranet Servers version 3.10 which allows a remote attacker to write arbitrary files to the server file system, resulting in code execution under the context of 'SYSTEM'. This module has been tested successfully on TFTP Server version 3.10 on Windows XP SP3 (EN).
No writeups or analysis indexed.
2024-06-21
Published