diff options
Diffstat (limited to 'results/classifier/108/other/1812451')
| -rw-r--r-- | results/classifier/108/other/1812451 | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/results/classifier/108/other/1812451 b/results/classifier/108/other/1812451 new file mode 100644 index 00000000..bf700834 --- /dev/null +++ b/results/classifier/108/other/1812451 @@ -0,0 +1,32 @@ +device: 0.730 +files: 0.677 +vnc: 0.657 +graphic: 0.588 +permissions: 0.492 +socket: 0.470 +semantic: 0.438 +network: 0.423 +PID: 0.397 +other: 0.355 +boot: 0.305 +debug: 0.286 +performance: 0.136 +KVM: 0.078 + +In windows host, tftp arbitrary file read vulnerability + +https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343 + + if (!strncmp(req_fname, "../", 3) || + req_fname[strlen(req_fname) - 1] == '/' || + strstr(req_fname, "/../")) { + tftp_send_error(spt, 2, "Access violation", tp); + return; + } + +There are file path check for not allowing escape tftp directory. +But, in windows, file path is separated by "\" backslash. +So, guest can read arbitrary file in Windows host. + +This is fixed upstream by https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 + |