“Directory traversal attack”的意思、由来-开放百科全书

词条 Directory traversal attack

释义

Example
Variations of directory traversal
Directory traversal on Unix Directory traversal on Microsoft Windows URI encoded directory traversal Unicode / UTF-8 encoded directory traversal Zip/archive traversal attacks
Possible methods to prevent directory traversal
See also
References
Resources
External links

A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, such that characters representing "traverse to parent directory" are passed through to the file APIs.

The goal of this attack is to use an affected application to gain unauthorized access to the file system. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.

Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.

Example

A typical example of vulnerable application in PHP code is:

$template = 'red.php';

if (isset($_COOKIE['TEMPLATE']))

include ("/home/users/phpguru/templates/" . $template);

An attack against this system could be to send the following HTTP request:

GET /vulnerable.php HTTP/1.0

Cookie: TEMPLATE=../../../../../../../../../etc/passwd

Generating a server response such as:

HTTP/1.0 200 OK

Content-Type: text/html

Server: Apache

root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh

daemon*:1:1::/tmp:

phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh

The repeated ../ characters after /home/users/phpguru/templates/ has caused

include() to traverse to the root directory, and then include the Unix password file /etc/passwd.

Unix /etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.

However, in more recent Unix systems, the passwd file does not contain the hashed passwords. They are, instead, located in the shadow file which cannot be read by unprivileged users on the machine. It is however, still useful for account enumeration on the machine, as it still displays the user accounts on the system.

Variations of directory traversal

Listed below are some known directory traversal attack strings:

Directory traversal on Unix

Common Unix-like directory traversal uses the ../ characters.

Sudo, a privilege management program ubiquitous in Unix is vulnerable to this attack when users use the glob wildcard (e.g. chown /opt/myapp/myconfig/* could be exploited with the command sudo chown baduser /opt/myapp/myconfig/../../../etc/passwd).

Directory traversal on Microsoft Windows

Microsoft Windows and DOS directory traversal uses the ..\\ or ../ character sequences.^[1]

Each partition has a separate root directory (labeled C:\\ for a particular partition C) and there is no common root directory above that. This means that for most directory vulnerabilities on Windows, the attack is limited to a single partition.

This kind of attack has been the cause of numerous Microsoft vulnerabilities.^[2]^[3]

URI encoded directory traversal

Canonicalization problem.

Some web applications scan query string for dangerous characters such as:

..
..\\
../

to prevent directory traversal. However, the query string is usually URI decoded before use. Therefore, these applications are vulnerable to percent encoded directory traversal such as:

%2e%2e%2f which translates to ../
%2e%2e/ which translates to ../
..%2f which translates to ../
%2e%2e%5c which translates to ..\\

Unicode / UTF-8 encoded directory traversal

Canonicalization problem.

UTF-8 was noted as a source of vulnerabilities and attack vectors by Bruce Schneier and Jeffrey Streifling.^[4]

When Microsoft added Unicode support to their Web server, a new way of encoding ../ was introduced into their code, causing their attempts at directory traversal prevention to be circumvented.

Multiple percent encodings, such as

%c1%1c
%c0%af

translated into / or \\ characters.

Percent encodings were decoded into the corresponding 8-bit characters by Microsoft webserver. This has historically been correct behavior as Windows and DOS traditionally used canonical 8-bit characters sets based upon ASCII.

However, the original UTF-8 was not canonical, and several strings were now string encodings translatable into the same string. Microsoft performed the anti-traversal checks without UTF-8 canonicalization, and therefore not noticing that (HEX) C0AF and (HEX) 2F were the same character when doing string comparisons. Malformed percent encodings, such as %c0%9v was also utilized.^[5]

Zip/archive traversal attacks

The use of archive formats like zip allows for directory traversal attacks: files in the archive can be written such that they overwrite files on the filesystem by backtracking. Code that uncompresses archive files can be written to check that the paths of the files in the archive do not engage in path traversal.

Possible methods to prevent directory traversal

A possible algorithm for preventing directory traversal would be to:

Process URI requests that do not result in a file request, e.g., executing a hook into user code, before continuing below.
When a URI request for a file/directory is to be made, build a full path to the file/directory if it exists, and normalize all characters (e.g., %20 converted to spaces).
It is assumed that a 'Document Root' fully qualified, normalized, path is known, and this string has a length N. Assume that no files outside this directory can be served.
Ensure that the first N characters of the fully qualified path to the requested file is exactly the same as the 'Document Root'.
If so, allow the file to be returned.
If not, return an error, since the request is clearly out of bounds from what the web-server should be allowed to serve.
Using a hard-coded predefined file extension to suffix the path does not limit the scope of the attack to files of that file extension.

include($_GET['file'] . '.html');

The user can use the NULL character (indicating the end of the string) in order to bypass everything after the $_GET. (This is PHP-specific.)

References

1. ^{{cite news|url=https://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx |title=Naming Files, Paths, and Namespaces |publisher=Microsoft |quote=File I/O functions in the Windows API convert '/' to '\\' as part of converting the name to an NT-style name}}
2. ^{{cite web|url=http://www.securityfocus.com/columnists/285 |title=Security Holes That Run Deep |first=Mark |last=Burnett |date=December 20, 2004 |publisher=SecurityFocus}}
3. ^{{cite web|url=https://www.cvedetails.com/vulnerability-list/vendor_id-26/opdirt-1/Microsoft.html |title=Microsoft: Security Vulnerabilities (Directory Traversal) |publisher=CVE Details}}
4. ^Crypto-Gram Newsletter July 2000
5. ^{{cite web|url=http://lists.sans.org/pipermail/unisog/2002-June/020592.html|title=IIS cmd.exe attack strings}}

Resources

Open Web Application Security Project
The WASC Threat Classification – Path Traversal
[https://www.htbridge.com/vulnerability/path-traversal.html Path Traversal Vulnerability Exploitation and Remediation]
CWE Common Weakness Enumeration - Path Traversal

External links

TOOLS: DotDotPwn – The Directory Traversal Fuzzer –
Conviction for using directory traversal. [https://www.theregister.co.uk/2005/10/05/dec_case/]
Bugtraq: IIS %c1%1c remote command execution
Cryptogram Newsletter July 2001 .

2 : Web security exploits|Computer security exploits

随便看

开放百科全书收录14589846条英语、德语、日语等多语种百科知识，基本涵盖了大多数领域的百科知识，是一部内容自由、开放的电子版国际百科全书。