Diving into Directory Traversal Vulnerabilities in Open-Source
On August 8th, 2017 SAP released a set of security patches for its applications. Among the vulnerabilities that they fixed was a directory traversal in the SAP NetWeaver AS Java Web Container. With a CVSS score of 7.7, this vulnerability is high risk and was addressed quickly. If left untreated, directory traversal vulnerabilities can result in files being overwritten, directories being exposed, and files being explored.
This isn’t the first time that a large company has been hit with this type of vulnerability. In 2016, in ‘Chances Are Good…That You’re Already Infected’, Matt Ireland revealed that directory traversal attacks are one of the most common types of attacks to occur in the financial sector — also the industry with the highest total attack volume. Today, we are going to have a closer look into directory traversal attacks and what impacts they can have.
What is a Directory Traversal Attack?
A directory traversal attack can be used to access restricted files or directories of a web server. There are many reasons that these vulnerabilities may be created such as the lack of URL and relative path checking, or insufficient handling of a request path or URL. The most common attack vector for directory traversals that we have seen is the use of the string ../. Using this string, attackers are able to access directories that they shouldn’t have access to. It is due to this, that the directory traversal attack may also be called a dot-dot-slash attack or directory climbing.
Let’s take a look at a few directory traversal vulnerabilities from the SourceClear Registry.
Examples of Open-Source Packages vulnerable to Directory Traversal Attacks
Overwriting arbitrary files
Attackers can overwrite files in the python package Moin (aka MoinMoin) using directory traversal attacks. These attacks are possible because of neglect in checking the filenames of attachments. Attackers can leverage the .. (dot dot) string within the filename to change the directory in which the file is to be saved. This vulnerability was fixed by validating the filename sent to the _do_attachement_move method of action/AttachFile.py. This vector was also discovered to be able to be used against mixlib-archive in CVE-2017-1000026.
Directory Listing Exposure
Just because validation exists however, doesn’t mean that you are safe. Apache Tomcat servers has some form of validation, but it is incorrectly implemented allowing attackers to expose directory listings for $CATALINA_BASE/webapps. The validation will filter resource requests with a path including the /…/ string, but will allow paths with the /… string through. This vulnerability was fixed by adding to the validation of the paths. Other examples with the same flaw can be seen in popular packages such as Spring Core and Spring Web MVC. This has also been seen recently in a study done by Liang Gong where he found this attack vector can be used in 133 different npm packages.
Access files on Windows machines
The validation may also be lacking certain characters. Attackers can access directories and files outside of the intended scope in a Windows based machine running an application written in Django. Django stores session data in a file named with the session key. The key submitted in the session cookie is verified by checking whether the filesystem path includes a path separator character as specified by Python’s os.path.sep. The characters specified are insufficient for a Windows based filesystem as it allows many path separators. If an attacker is able to pass this initial validation, the attack can be successful.
So, How Can You Avoid Directory Traversal Attacks?
The truth is you can’t 100% avoid directory traversal attacks but you can take preventative measures. A good start however, would be to implement thorough validation of any filenames, path requests, and urls that can be inserted or controlled by users. This validation will need to take into account the multitude of path separators that Windows supports, as well as other operating systems. For web applications, it is also advised to not store any sensitive information on the webserver itself so that in the event an attacker does bypass the validation, there is nothing of value they can access. In addition to these steps, SourceClear also has 43 SVEs (SourceClear Vulnerabilities and Exposures)as well as CVEs which we can identify in your dependencies through a simple scan.
Are you curious about a certain type of vulnerability? Email me directly at vanessa@sourceclear.com.
