http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=589
Public Advisory: 08.27.07
Motorola Timbuktu Pro Directory Traversal Vulnerability
I. BACKGROUND
Motorola Inc.'s Timbuktu Pro is a remote control software which allows remote access to a computer's desktop. It is available for Mac OS X and Windows systems and provides integration with Skype and SSH. More information is available from the product web site at the following URL.
II. DESCRIPTION
Remote exploitation of a directory traversal vulnerability in Motorola Inc.'s Timbuktu Pro allows attackers to delete or create files with SYSTEM privileges.
When handling "Send" requests, Timbuktu does not properly check for directory traversal specifiers. Therefore, by including a sequence such as "../../../", an attacker is able to write outside of the intended location. Additionally, if the file already exists, the file is created with a new name. However, if the connection is broken before the transfer completes, Timbuktu will delete the originally specified file name instead of the new name.
Public Advisory: 08.27.07
Motorola Timbuktu Pro Directory Traversal Vulnerability
I. BACKGROUND
Motorola Inc.'s Timbuktu Pro is a remote control software which allows remote access to a computer's desktop. It is available for Mac OS X and Windows systems and provides integration with Skype and SSH. More information is available from the product web site at the following URL.
II. DESCRIPTION
Remote exploitation of a directory traversal vulnerability in Motorola Inc.'s Timbuktu Pro allows attackers to delete or create files with SYSTEM privileges.
When handling "Send" requests, Timbuktu does not properly check for directory traversal specifiers. Therefore, by including a sequence such as "../../../", an attacker is able to write outside of the intended location. Additionally, if the file already exists, the file is created with a new name. However, if the connection is broken before the transfer completes, Timbuktu will delete the originally specified file name instead of the new name.
文章標籤
全站熱搜
資訊安全 (4)