A Deep Dive into Path Traversal Vulnerabilities

cover
30 Jun 2024

Imagine your house is full of rooms with various doors, some leading to secure areas like your personal office or a safe room. Now, what if someone knew a trick to bypass the usual routes and access these rooms directly, stealing or tampering with your valuables, such as your 419-karat gold chain, expensive perfume, or even your vintage Kolo box. This is essentially what happens in a path traversal attack.


What is Path Traversal?

Path traversal, also known as directory traversal, is a type of vulnerability found in web applications. It allows attackers to access files and directories stored outside the web root folder, which they typically shouldn't be able to reach, that's for the chefs, a.k.a Backend Engineers. These files can contain sensitive information like application code, user data, credentials, and even system files, which can be exploited to gain further control over the server.


How Path Traversal Works

Say there's a web application, a sinister yahooyahoo online shopping store used to trade illegally, much like Darkmarket, with its name actually being yahooyahoo! Dumb I know, had to do with something about hiding in plain sight by the admin who's now in jail :).

The application loads an image using a URL like this:

<img src="/loadImage?filename=218.png">

In the backend, the server processes this request by appending the filename to a base directory:

/var/www/images/218.png

However, if there are no defenses against path traversal, an attacker; in this case EFCC, can manipulate the filename parameter to access other files on the server such as account info of the users.

For instance, they might try:

https://yahooyahoo.com/loadImage?filename=../../../etc/passwd

This request instructs the server to load a file by stepping up three directory levels from the base path and then accessing the /etc/passwd file, a critical system file on Unix-like systems.

The server constructs the path like this:

/var/www/images/../../../etc/passwd

The ../ sequence moves up one directory level. So, the path resolves to:

/etc/passwd


The Power and Might of ../ Sequence

When you hear of Sequence in Web-Sec, just think of Navigation.

Think of ../ as a way to go up one level in a directory structure, like climbing a ladder to the floor above:

  • A single ../ takes you one level up.
  • ../../ takes you two levels up.
  • ../../../ takes you three levels up, and so on.

In a computer file system:

  • Starting at /home/user/documents/projects, ../ takes you to /home/user/documents.
  • ../../ would take you to /home/user.
  • ../../../ brings you to /home.

To better understand this:

Imagine you're in a large hotel, Hotel 3FCC. You start in room 419 (4th floor, 19th room). Using ../:

  • ../ means stepping out into the hallway (up one level in directory terms).
  • ../../ means taking the elevator down to the 3rd floor.
  • ../../../ means going down to the 2nd floor.

Hotel Layout:

Hotel:
---------------------

                          (Floors)
                                |
                                |
    +---------------------------------------------+
    | 1st Floor  | 2nd Floor  | 3rd Floor | 4th Floor |
    |             |             |             |             |
    +-------------+-------------+-------------+-------------+
    |             | Room 219   |             | Room 419   |
    |             |             |             | (Your Room)|
    |             +-------------+             +-------------+
    |             | Room 220   |             | Room 420   |
    |             |             |             |             |
    +-------------+-------------+-------------+-------------+
    |             | Room 319   |             |             |
    |             |             |             |             |
    |             +-------------+             +-------------+
    |             | Room 320   |             |             |
    |             |             |             |             |
    +-------------+-------------+-------------+-------------+

Path Traversal Steps:

  1. Initial Position: Room 419 on the 4th Floor

    • Current Path: /home/user/documents/projects

    • Hotel Analogy: You are in Room 419 on the 4th Floor

      +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | Room 419 | | | | | (You) | | +-------------+ +-------------+ | | Room 220 | | Room 420 | | | | | | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+

  2. Step 1: Using ../ to move up one level to the hallway of the 4th floor

    • New Path: /home/user/documents

    • Hotel Analogy: Stepping out into the hallway of the 4th Floor

      +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | | Room 419 | | | | | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 319 | | | | | | | | | +-------------+ +-------------+ | | Room 320 | | | | | | | | +-------------+-------------+-------------+-------------+

  3. Step 2: Using ../../ to move up two levels to the 3rd Floor

    • New Path: /home/user

    • Hotel Analogy: Taking the elevator down to the 3rd Floor

      +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | | | | +-------------+-------------+-------------+-------------+ | | Room 219 | (You) | (Hallway) | | | | | | | +-------------+ +-------------+ | | Room 220 | Room 319 | Room 419 | | | | (Empty) | (Empty) | +-------------+-------------+-------------+-------------+ | | Room 320 | | | | | | | | | +-------------+ +-------------+ | | | | | +-------------+-------------+-------------+-------------+

  4. Step 3: Using ../../../ to move up three levels to the 2nd Floor

    • New Path: /home

    • Hotel Analogy: Taking the elevator down to the 2nd Floor

      +---------------------------------------------+ | 1st Floor | 2nd Floor | 3rd Floor | 4th Floor | | | (You) | (Empty) | (Hallway) | +-------------+-------------+-------------+-------------+ | | Room 219 | Room 319 | Room 419 | | | | (Empty) | (Empty) | | +-------------+ +-------------+ | | Room 220 | Room 320 | Room 420 | | | | | | +-------------+-------------+-------------+-------------+

Defenses and Bypasses

To prevent these attacks, many applications strip out directory traversal sequences from user input. But clever attackers often find ways to bypass these defenses.

For instance, they might use an absolute path directly from the root:

filename=/etc/passwd

Or, they might use nested traversal sequences like ....//, which, after stripping, still leaves a valid traversal sequence:

https://yahooyahoo.com/loadImage?filename=....//etc/passwd

Here’s how nested sequences work:

  • User input: ....//etc/passwd
  • Application strips ../: The sequence ....// reverts to ../
  • Resulting path: /var/www/images/../etc/passwd
  • Final path resolves to: /etc/passwd

URL Encoding Tricks

Another trick involves URL encoding (I'll be writing an article on URL encoding soon), where characters like ../ are represented in encoded forms (%2e%2e%2f). For example:

filename=%2e%2e%2f%2e%2e%2fetc/passwd

This can trick the application into processing it as valid input.

Protecting Against Path Traversal

To defend against path traversal:

  1. Avoid using user input in filesystem APIs whenever possible.
  2. Validate user inputs rigorously:
    • Use a whitelist of allowed values.
    • Allow only specific characters (e.g., alphanumeric).
  3. Canonicalize the path:
    • Ensure the resolved path starts with the expected base directory.

Real-Life Examples of Path Traversal Attacks

1. Apache Struts CVE-2017-5638

In 2017, a critical vulnerability was discovered in Apache Struts, a popular open-source web application framework. The vulnerability (CVE-2017-5638) allowed attackers to exploit path traversal to read and execute arbitrary files on the server. This was part of the attack vector used in the massive Equifax data breach, which exposed personal information of over 147 million people. Attackers leveraged the vulnerability to execute remote code, gaining access to sensitive data.

2. Fortinet FortiOS Path Traversal (CVE-2018-13379)

In 2018, a path traversal vulnerability (CVE-2018-13379) was discovered in Fortinet's FortiOS SSL VPN web portal. The flaw allowed unauthenticated attackers to download system files via specially crafted HTTP resource requests. By exploiting this, attackers could access sensitive information such as password files and VPN session details, compromising the security of the entire network.

3. Magento eCommerce Platform

Magento, a popular eCommerce platform, has been subject to multiple path traversal vulnerabilities over the years. One such vulnerability allowed attackers to exploit the file upload mechanism to upload malicious files by bypassing directory restrictions. This could lead to remote code execution, enabling attackers to take over the web server and access sensitive customer information and payment data.

4. Nokia Store App

In 2012, a significant path traversal vulnerability was found in the Nokia Store app. The issue allowed attackers to download arbitrary files from the server. By manipulating the URL parameters, attackers could access restricted directories and sensitive files, potentially exposing user data and internal configurations.

5. Rubygems.org Path Traversal (CVE-2020-25613)

In 2020, a path traversal vulnerability was identified in Rubygems.org, the Ruby community’s gem hosting service. The vulnerability (CVE-2020-25613) allowed attackers to manipulate file paths and download arbitrary files from the server. This posed a significant risk as it could potentially expose sensitive configuration files and credentials stored on the server.

6. Cisco ASA Path Traversal Vulnerability (CVE-2018-0296)

Cisco's Adaptive Security Appliance (ASA) software was found to have a critical path traversal vulnerability (CVE-2018-0296) in 2018. This allowed unauthenticated attackers to send crafted HTTP requests to gain access to sensitive system files. Exploiting this flaw, attackers could obtain information about the device configuration, potentially aiding in further attacks against the network.

7. GitHub Enterprise Server Path Traversal (CVE-2020-10546)

In 2020, a path traversal vulnerability (CVE-2020-10546) was discovered in GitHub Enterprise Server. This vulnerability allowed attackers to access arbitrary files on the server by manipulating URL paths. Exploiting this, an attacker could gain access to sensitive information such as repository files and configuration data, posing a significant security risk to the affected enterprises.

8. WordPress Plugin Vulnerabilities

Many WordPress plugins have been found vulnerable to path traversal attacks. For instance, the popular plugin "Duplicate Page" had a path traversal vulnerability that allowed attackers to read arbitrary files from the server. Such vulnerabilities in widely used plugins pose significant risks as they can affect a large number of websites, potentially exposing sensitive data and enabling further attacks.

Final words

I'm not supposed to be writing an article telling you this (lol), but sometimes the most secure doors have hidden keys – and in the world of web security, path traversal is one key you definitely don't want falling into the wrong hands.

Path traversal vulnerabilities extend beyond what I have shown here but see this as a starting point, a good magician never reveals his secrets :).

Path traversal vulnerabilities are like hidden passages in a fortress, allowing attackers to slip through defenses and wreak havoc. By understanding how these attacks work and implementing defenses, we can better protect our digital fortresses from unauthorized access. Always validate and sanitize user inputs, and regularly, I mean regularly review your code and server configurations to close off any potential exploits.

Mischief Managed.

Resources:

Portswigger (Web Security Academy)

Wikipedia