Exploiting and Correcting Path Traversal Vulnerability

Question

I have a Java Web App running on Tomcat on which I'm supposed to exploit Path traversal vulnerability. There is a section (in the App) at which I can upload a .zip file, which gets extracted in the server's /tmp directory. The content of the .zip file is not being checked, so basically I could put anything in it. I tried putting a .jsp file in it and it extracts perfectly. My problem is that I don't know how to reach this file as a "normal" user from browser. I tried entering ../../../tmp/somepage.jsp in the address bar, but Tomcat just strips the ../ and gives me http://localhost:8080/tmp/ resource not available. Ideal would be if I could somehow encode ../ in the path of somepage.jsp so that it gets extracted in the web riot directory of the Web App. Is this possible? Are there maybe any escape sequences that would translate to ../ after extracting?

Any ideas would be highly appreciated.
Note: This is a school project in a Security course where I'm supposed to locate vulnerabilities and correct them. Not trying to harm anyone...

Like we really want to teach people to hack. – developerwjk Oct 21 '13 at 21:32 — developerwjk, Oct 21 '13 at 21:32
yes, @developerwjk, we do. – Alex Meiburg Sep 16 '17 at 11:41 — Alex Meiburg, Sep 16 '17 at 11:41

score 2 · Accepted Answer · answered Oct 21 '13 at 21:47

2

Sorry about the downvotes. Security is very important, and should be taught.

Do you pass in the file name to be used?

The check that the server does is probably something something like If location starts with "/tmp" then allow it. So what you want to do is pass `/tmp/../home/webapp/"?

Another idea would be to see if you could craft a zip file that would result in the contents being moved up - like if you set "../" in the filename inside the zip, what would happen? You might need to manually modify things if your zip tools don't allow it.

answered Oct 21 '13 at 21:47

Murph

1,479
2
13
26

I have an upload form where I just select the zip file to upload. The server then extracts the file to the `/tmp` directory. So if I put `somepage.jsp` in the zip file, it will land in the `/tmp` afterwards. Now I'm just guessing the fact that I can put anything in the zip file and get it extracted in the `/tmp` is a vulnerability. How could I modify manualy the zip file to get the `somepage.jsp` to extract in the web root folder? Is it possible? Thanks for your help. – Maputo Oct 21 '13 at 21:59
1

It's really hard to tell you the right answer, it could depend on so much stuff. Try zipping up a symlink to /, so like .. /tmp/root points to /, then try extracting a second zip file that has a file named root/home/webapp/malicious.jsp in it? :D – Murph Oct 21 '13 at 22:01
Hm.. That's a great idea. But I didn't mentioned that it's actually always extracted to a different folder within `/tmp`. Do you think that I could zip the sym link and the file together? So that they get extracted in the same directory. And another issue. How to I name a file that contains "/"? Linux disallows it... – Maputo Oct 21 '13 at 22:05
1

Sounds great, yeah, try bundling them into one. You can zip up whole hierarchies of folders, and depending on how unzip is run it might respect those path names, or it might not. That's usually how you get the "/" in there. – Murph Oct 21 '13 at 22:07
Thank you very much, I think that should do the trick. Let me just start up the virtual machine and try it out. Thanks again! – Maputo Oct 21 '13 at 22:11
The unzip utility respects the path names but I still don't know how to go two folders back. I create the whole hierarchy of folders and zip it. And what I'm getting is: `/tmp/web1a2/home/user/webapp/myfolder/myfile` instead of just `/home/user/../myfile`. And I can't create a sym link and bundle it together because I'm going to have then two files with the same name. – Maputo Oct 21 '13 at 23:03

developerwjk · Answer 2 · 2013-10-21T21:56:59.690

0

To protect against this kind of vulnerability you are looking for something like this:

 String somedirectory = "c:/fixed_directory/";
 String file = request.getParameter("file");
 if(file.indexOf(".")>-1)
 {
   //if it contains a ., disallow
   out.print("stop trying to hack");
   return;
 }
 else
 {
   //load specified file and print to screen
    loadfile(somedirectory+file+".txt");
   ///.....
 }

If you just were to pass the variable "file" to your loadfile function without checking, then someone could make a link to load any file they want. See https://www.owasp.org/index.php/Path_Traversal

edited Oct 21 '13 at 21:56

answered Oct 21 '13 at 21:51

developerwjk

8,619
2
17
33

The thing is that I haven't found the actual vulnerability yet. I'm just guessing that if I can extract any file in the `/tmp` folder, that could somehow be exploited. I first need to figure out how, and then correct it. – Maputo Oct 21 '13 at 22:01
Most zip programs have a flag to use or not use the exact folder structure mentioned in the zip, and a good one will have it off by default to prevent this kind of nonsense. – developerwjk Oct 21 '13 at 22:05
Yes, but the Web App is using it's own written Unzip class utility. Oh. You just answered it I guess. If I put the file in the same folder structure leading up to the web root directory, the Unzip utility will extract it there (of course if it's poorly written). Right? – Maputo Oct 21 '13 at 22:09

Exploiting and Correcting Path Traversal Vulnerability

2 Answers2

Linked