blob: 42b8c305ba387430f2d8452d0aaf7b3962b2a4ca (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
device: 0.730
instruction: 0.699
vnc: 0.657
graphic: 0.588
mistranslation: 0.531
socket: 0.470
semantic: 0.438
network: 0.423
other: 0.355
boot: 0.305
assembly: 0.114
KVM: 0.078
In windows host, tftp arbitrary file read vulnerability
https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343
if (!strncmp(req_fname, "../", 3) ||
req_fname[strlen(req_fname) - 1] == '/' ||
strstr(req_fname, "/../")) {
tftp_send_error(spt, 2, "Access violation", tp);
return;
}
There are file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.
This is fixed upstream by https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4
|