results/classifier/zero-shot-user-mode/instruction/1812451


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

instruction: 0.634
syscall: 0.225
runtime: 0.141


In windows host, tftp arbitrary file read vulnerability

https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343

  if (!strncmp(req_fname, "../", 3) ||
      req_fname[strlen(req_fname) - 1] == '/' ||
      strstr(req_fname, "/../")) {
      tftp_send_error(spt, 2, "Access violation", tp);
      return;
  }

There are file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.