Exploiting Path Traversal

Many kinds of functionality oblige a web application to read from or write to a file system on the basis of parameters supplied within user requests. If these operations are carried out in an unsafe manner, an attacker can submit crafted input which causes the application to access files that the application designer did not intend it to access. Known as path traversal vulnerabilities, such defects may enable the attacker to read sensitive data including passwords and application logs, or to overwrite security-critical items such as configuration files and software binaries. In the most serious cases, the vulnerability may enable an attacker to completely compromise both the application and the underlying operating system.

Path traversal flaws are sometimes subtle to detect, and many web applications implement defenses against them that may be vulnerable to bypasses. We will describe all of the various techniques you will need, from identifying potential targets, to probing for vulnerable behavior, to circumventing the application’s defenses.

Common Vulnerabilities

Path traversal vulnerabilities arise when user-controllable data is used by the application to access files and directories on the application server or other back-end file system in an unsafe way. By submitting crafted input, an attacker may be able to cause arbitrary content to be read from, or written to, anywhere on the file system being accessed. This often enables an attacker to read sensitive information from the server, or overwrite sensitive files, leading ultimately to arbitrary command execution on the server.

Consider the following example, in which an application uses a dynamic page to return static images to the client. The name of the requested image is specified in a query string parameter:

https://wahh-app.com/scripts/GetImage.aspx?file=diagram1.jpg

When the server processes this request, it performs the following steps:

1. Extracts the value of the file parameter from the query string.

2. Appends this value to the prefix C:\wahh-app\images\ .

3. Opens the file with this name.

4. Reads the file’s contents and returns it to the client.

The vulnerability arises because an attacker can place path traversal sequences into the filename in order to backtrack up from the image directory specified in step 2 and so access files from anywhere on the server. The path traversal sequence is known as “dot-dot-slash,” and a typical attack would look like this:

https://wahh-app.com/scripts/GetImage.aspx?file=..\..\windows\repair\sam

When the application appends the value of the file parameter to the name of the images directory, it obtains the following path:

C:\wahh-app\images\..\..\winnt\repair\sam

The two traversal sequences effectively step back up from the images directory to the root of the C: drive, and so the preceding path is equivalent to this:

C:\winnt\repair\sam

Hence, instead of returning an image file, the server actually returns the repair copy of the Windows SAM file. This file may be analyzed by the attacker to obtain usernames and passwords for the server operating system.

In this simple example, the application implements no defenses to prevent path traversal attacks. However, because these attacks have been widely known about for some time, it is common to encounter applications that implement various defenses against them, often based on input validation filters. As you will see, these filters are often poorly designed and can be bypassed by a skilled attacker.


NEXT is..Finding and Exploiting Path Traversal Vulnerabilities ………………………,,,,,,,,,,,,,,,,,,,,,,