Bug 4874

Summary: tftpd allows to download files outside from specified tftp directory
Product: Busybox Reporter: Michal Kowalski <railmak>
Component: NetworkingAssignee: unassigned
Status: RESOLVED FIXED    
Severity: major CC: busybox-cvs
Priority: P5    
Version: 1.19.x   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Host: Target:
Build:

Description Michal Kowalski 2012-03-06 22:48:01 UTC 
Hi,

I was testing pxe network boot and I used udhcpd and tftpd functions of busybox.
I found some strange behavior of tftpd function.

I have got vmlinuz, initrd files inside /boot directory so I have started tftpd in following way:

busybox udpsvd -vE 0.0.0.0 69 tftpd  /boot


When I requested vmlinuz I received /boot/vmlinuz and this is ok.
When I requested /vmlinuz I received info 'can't open file'. After some time I figure out that this is because tftpd is not searching /vmlinuz in /boot directory but in root /.
 
I would expect that all tftp attempts with absolute path will be translated to tftpd dir (/vmlinuz -> /boot/vmlinuz in this case) or reported as not correct if requested file is not in subdir of tftpd dir. Instead of this anyone can access and download any files from root file system including passwd, shadow:

Server:
busybox udpsvd -vE 0.0.0.0 69 tftpd  /boot

Client:
root@debian:/tmp# busybox tftp -g -r /etc/shadow localhost
/etc/shadow          100% |*******************************|  1242   0:00:00 ETA


From my point of view this not correct.


Thanks in advance for Your help.
MAK
Comment 1 Denys Vlasenko 2012-03-07 23:30:05 UTC 
Thanks for reporting!

Fixed in git:

http://git.busybox.net/busybox/commit/?id=4e3beb2e1db3d4739a5a924e003938a9815f98e5