Bug 4874 - tftpd allows to download files outside from specified tftp directory
Summary: tftpd allows to download files outside from specified tftp directory
Status: RESOLVED FIXED
Alias: None
Product: Busybox
Classification: Unclassified
Component: Networking (show other bugs)
Version: 1.19.x
Hardware: PC Linux
: P5 major
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-06 22:48 UTC by Michal Kowalski
Modified: 2012-03-07 23:30 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michal Kowalski 2012-03-06 22:48:01 UTC 
Hi,

I was testing pxe network boot and I used udhcpd and tftpd functions of busybox.
I found some strange behavior of tftpd function.

I have got vmlinuz, initrd files inside /boot directory so I have started tftpd in following way:

busybox udpsvd -vE 0.0.0.0 69 tftpd  /boot


When I requested vmlinuz I received /boot/vmlinuz and this is ok.
When I requested /vmlinuz I received info 'can't open file'. After some time I figure out that this is because tftpd is not searching /vmlinuz in /boot directory but in root /.
 
I would expect that all tftp attempts with absolute path will be translated to tftpd dir (/vmlinuz -> /boot/vmlinuz in this case) or reported as not correct if requested file is not in subdir of tftpd dir. Instead of this anyone can access and download any files from root file system including passwd, shadow:

Server:
busybox udpsvd -vE 0.0.0.0 69 tftpd  /boot

Client:
root@debian:/tmp# busybox tftp -g -r /etc/shadow localhost
/etc/shadow          100% |*******************************|  1242   0:00:00 ETA


From my point of view this not correct.


Thanks in advance for Your help.
MAK
Comment 1 Denys Vlasenko 2012-03-07 23:30:05 UTC 
Thanks for reporting!

Fixed in git:

http://git.busybox.net/busybox/commit/?id=4e3beb2e1db3d4739a5a924e003938a9815f98e5