W2K RIS TFTP Daemon Security Hole! - TechRepublic
General discussion
June 25, 2002 at 11:21 AM
envisionone

W2K RIS TFTP Daemon Security Hole!

by envisionone . Updated 24 years ago

I discovered a security hole with the W2K RIS TFTP Daemon Service. The service allows uploading without observing local NTFS permissions. The service isn’t pointing to the RIS share either. If you attempt to run the service under a restricted account, it will create and point to a %systemroot%\tftpdroot folder by default. Further analysis points out that using a TFTP client can allow uploads of great file sizes. I have also verified that multiple connections can be established performing this capability. After analyzing server performance, my test seriously impacted the security and capabilities of the test server.

Keeping the service set at manual and starting the service when needed, and / or blocking the port when not in use is my only alternative. I also changed the share name REMINST to appear hidden, updated the share and folder security permissions, and updated all references to the share in the system’s registry to prevent from having people snooping around the share. I didthis with all the shares on the test server. I did lose some image lookup functionality in Active Directory. I have not yet found the pointer to that in the registry. After careful review, I definitely will be updating my security policy when it comes to servers, services, shares, permissions, and ports opened on the server.

Please give me your input on this issue if possible.

This discussion is locked

All Comments