blob: 5055e1ec6fb4ffabf1c93040fb01af5be5e85e9f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
In windows host, tftp arbitrary file read vulnerability
https://github.com/qemu/qemu/blob/master/slirp/tftp.c#L343
if (!strncmp(req_fname, "../", 3) ||
req_fname[strlen(req_fname) - 1] == '/' ||
strstr(req_fname, "/../")) {
tftp_send_error(spt, 2, "Access violation", tp);
return;
}
There are file path check for not allowing escape tftp directory.
But, in windows, file path is separated by "\" backslash.
So, guest can read arbitrary file in Windows host.
|