Path Traversal attacks occur when the user can specify content to be written on the server. An attacker, relying on the application to pass unsanitized data into a file API, could overwrite files containing sensitive information on the host system running the application. The file access operation will most likely inherit the same permissions as the running application. The attacker will try to exploit the user input by leveraging relative path traversal, ../ or absolute paths for gaining access to files outside the scope of the application.

Impact of Path Traversal

If an attacker can control file paths then the application may expose sensitive information. This can include password files and server configuration files. By allowing the attacker to specify files outside the root directory of the application to system file directories, it can discover additional information to further compromise the system.

Testing for Path Traversal

  1. Review the traffic to find operations and parameters associated with file operations. Reading and writing. Look for parameters with interesting file extensions.
  2. Based on the underlying system (linux, windows) test to see if you address known files using the ../. For example ../../../etc/passwd on linux systems. This will help understand if there are any input validation functions in use.
  3. Attempt to use other sequences suces as ....// or ....\/
  4. Employ encoding mechanisms to bypass input validation algorithms.
  5. If the input validation mechanisms require a known url then use the known url and append your traversal string. For example, /var/www/assets/../../etc/passwd

Fixes

In the example a unsanitized user parameter is passed directly into the file API call,

public Response getImage(@javax.ws.rs.PathParam("image") String image) {
    File file = new File("resources/images/", image); // <-- RIGHT HERE

    if (!file.exists()) {
        return Response.status(Status.NOT_FOUND).build();
    }

    return Response.ok().entity(new FileInputStream(file)).build();
}

To mitigate the risk of directly passing un-sanitized data into the file API, FilenameUtils from Apache Commons IO library will be used,

public Response getImage(@javax.ws.rs.PathParam("image") String image) {
    File file = new File("resources/images/", FilenameUtils.getName(image)); // <-- image is now sanitized

    if (!file.exists()) {
        return Response.status(Status.NOT_FOUND).build();
    }

    return Response.ok().entity(new FileInputStream(file)).build();
}

In General:

  • Do not allow user inputs to be added to file API calls

If users inputs are needed to specify a file,

  • Validate/Sanitize user inputs using a standard library
  • Prevent filenames to specify the destination directory
  • Randomize the filename and create a mapping between the filename and the temp file
  • Access files from a specific directory outside of both the web directory as well as system-level directories
  • Secure the folder with the proper permissions

Tales

K8S Directory Traversal Vulnerability: Disclosing a directory traversal vulnerability in Kubernetes copy – CVE-2019-1002101

The kubectl cp command allows copying files between containers and the user machine. To copy files from and to containers, Kubernetes calls the tar binary inside the container, to either create or unpack a tar archive with the requested files. This is the same as the cp command which had a vulnerability.

Confluence Directory Traversal: Confluence – Path traversal vulnerability – CVE-2019-3398

The references a critical severity security vulnerability which was introduced in version 2.0.0 of Confluence Server and Confluence Data Center in the download attachments resource. A remote attacker who has permission to add attachments to pages and / or blogs, or to create a new space or personal space, or who has ‘Admin’ permissions for a space, can exploit this path traversal vulnerability to write files to arbitrary locations.

Want to check your projects for free?

References

CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP: Path Traversal
Wikipedia: Directory Traversal Attack
Geeks-For-Geeks: Path Traversal Attack and Prevention