[Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability

* [Bug 1812451] Re: In windows host, tftp arbitrary file read vulnerability
       [not found] <154785010249.1233.12902128942224805447.malonedeb@gac.canonical.com>
@ 2020-01-20 14:59 ` Peter Maydell
  2020-01-20 15:02 ` Samuel thibault
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2020-01-20 14:59 UTC (permalink / raw)
  To: qemu-devel

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1812451

Title:
  In windows host, tftp arbitrary file read vulnerability

Status in QEMU:
  New

Bug description:
  https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343

    if (!strncmp(req_fname, "../", 3) ||
        req_fname[strlen(req_fname) - 1] == '/' ||
        strstr(req_fname, "/../")) {
        tftp_send_error(spt, 2, "Access violation", tp);
        return;
    }

  There is file path check for not allowing escape tftp directory.
  But, in windows, file path is separated by "\" backslash.
  So, guest can read arbitrary file in Windows host.

  This bug is variant of CVE-2019-2553 - Directory traversal
  vulnerability.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1812451/+subscriptions

^ permalink raw reply	[flat|nested] 4+ messages in thread