Path traversal vulnerabilities arise when user-controllable data is used by the application to access files and directories on the application server or other back-end file system in an unsafe way. By submitting crafted input, an attacker Exploiting Path Traversal may be able to cause arbitrary content to be read from, or written to, anywhere on the file system being accessed. This often enables an attacker to read sensitive information from the server, or overwrite sensitive files, leading ultimately to arbitrary command execution on the server.
Consider the following example, in which an application uses a dynamic page to return static images to the client. The name of the requested image is specified in a query string parameter:
https://wahh-app.com/scripts/GetImage.aspx?file=diagram1.jpg
When the server processes this request, it performs the following steps:
1. Extracts the value of the file parameter from the query string.
2. Appends this value to the prefix C:\wahh-app\images\.
3. Opens the file with this name.
4. Reads the file’s contents and returns it to the client.
The vulnerability arises because an attacker can place path traversal
sequences into the file name in order to backtrack up from the image directory specified in step 2 and so access files from anywhere on the server. The path traversal sequence is known as “dot-dot-slash,” and a typical attack would look like this:
https://wahh-app.com/scripts/GetImage.aspx?file=..\..\windows\repair\sam
When the application appends the value of the file parameter to the name of the images directory, it obtains the following path:
C:\wahh-app\images\..\..\winnt\repair\sam
The two traversal sequences effectively step back up from the images directory to the root of the C: drive, and so the preceding path is equivalent to this: C:\winnt\repair\sam
Hence, instead of returning an image file, the server actually returns the repair copy of the Windows SAM file. This file may be analyzed by the attacker to obtain usernames and passwords for the server operating system.
In this simple example, the application implements no defenses to prevent path traversal attacks. However, because these attacks have been widely known about for some time, it is common to encounter applications that implement various defenses against them, often based on input validation filters. As you will see, these filters are often poorly designed and can be bypassed by a skilled attacker.
Consider the following example, in which an application uses a dynamic page to return static images to the client. The name of the requested image is specified in a query string parameter:
https://wahh-app.com/scripts/GetImage.aspx?file=diagram1.jpg
When the server processes this request, it performs the following steps:
1. Extracts the value of the file parameter from the query string.
2. Appends this value to the prefix C:\wahh-app\images\.
3. Opens the file with this name.
4. Reads the file’s contents and returns it to the client.
The vulnerability arises because an attacker can place path traversal
sequences into the file name in order to backtrack up from the image directory specified in step 2 and so access files from anywhere on the server. The path traversal sequence is known as “dot-dot-slash,” and a typical attack would look like this:
https://wahh-app.com/scripts/GetImage.aspx?file=..\..\windows\repair\sam
When the application appends the value of the file parameter to the name of the images directory, it obtains the following path:
C:\wahh-app\images\..\..\winnt\repair\sam
The two traversal sequences effectively step back up from the images directory to the root of the C: drive, and so the preceding path is equivalent to this: C:\winnt\repair\sam
Hence, instead of returning an image file, the server actually returns the repair copy of the Windows SAM file. This file may be analyzed by the attacker to obtain usernames and passwords for the server operating system.
In this simple example, the application implements no defenses to prevent path traversal attacks. However, because these attacks have been widely known about for some time, it is common to encounter applications that implement various defenses against them, often based on input validation filters. As you will see, these filters are often poorly designed and can be bypassed by a skilled attacker.
No comments:
Post a Comment