Directory traversal attack

Directory traversal attack

A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.

The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.

Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.



A typical example of vulnerable application in PHP code is:

$template = 'red.php';
if (isset($_COOKIE['TEMPLATE']))
   $template = $_COOKIE['TEMPLATE'];
include ("/home/users/phpguru/templates/" . $template);

An attack against this system could be to send the following HTTP request:

GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd

Generating a server response such as:

HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache

root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh 

The repeated ../ characters after /home/users/phpguru/templates/ has caused include() to traverse to the root directory, and then include the Unix password file /etc/passwd.

Unix /etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.

However, in more recent Unix systems, the passwd file does not contain the hashed passwords. They are, instead, located in the shadow file which cannot be read by unprivileged users on the machine. It is however, still useful for account enumeration on the machine, as it still displays the user accounts on the system.

Variations of directory traversal

Listed below are some known directory traversal attack strings:

Directory traversal on Unix

Common Unix-like directory traversal uses the ../ characters.

Directory traversal on Microsoft Windows

Microsoft Windows or DOS directory traversal uses the ..\ characters.

Today, many Windows programs or APIs also accept Unix-like directory traversal characters.

Each partition has a separate root directory (labeled C:\ for a particular partition C) and there is no common root directory above that. This means that for most directory vulnerabilities on Windows, the attack is limited to a single partition.

This sort of attack was frequently used to exploit a vulnerability fixed in Microsoft Security Bulletin MS08-067.

URI encoded directory traversal

Canonicalization problem.

Some web applications scan query string for dangerous characters such as:

  • ..
  • ..\
  • ../

to prevent directory traversal. However, the query string is usually URI decoded before use. Therefore these applications are vulnerable to percent encoded directory traversal such as:

  • %2e%2e%2f which translates to ../
  • %2e%2e/ which translates to ../
  • ..%2f which translates to ../
  • %2e%2e%5c which translates to ..\


Unicode / UTF-8 encoded directory traversal

Canonicalization problem.

UTF-8 was noted as a source of vulnerabilities and attack vectors in Cryptogram Newsletter July 2000 by Bruce Schneier and Jeffrey Streifling.

When Microsoft added unicode support to their Web server, a new way of encoding ../ was introduced into their code, causing their attempts at directory traversal prevention to be circumvented.

Multiple percent encodings, such as

  • %c1%1c
  • %c0%af

translated into / or \ characters.

Percent encodings were decoded into the corresponding 8-bit characters by Microsoft webserver. This has historically been correct behavior as Windows and DOS traditionally used canonical 8-bit characters sets based upon ASCII.

However, the original UTF-8 was not canonical, and several strings were now string encodings translatable into the same string. Microsoft performed the anti-traversal checks without UTF-8 canonicalization, and therefore not noticing that (HEX) C0AF and (HEX) 2F were the same character when doing string comparisons. Malformed percent encodings, such as %c0%9v was also utilized[1].

Possible methods to prevent directory traversal

A possible algorithm for preventing directory traversal would be to:

  • Process URI requests that do not result in a file request, e.g., executing a hook into user code, before continuing below.
  • When a URI request for a file/directory is to be made, build a full path to the file/directory if it exists, and normalize all characters (e.g., %20 converted to spaces).
  • It is assumed that a 'Document Root' fully qualified, normalized, path is known, and this string has a length N. Assume that no files outside this directory can be served.
  • Ensure that the first N characters of the fully qualified path to the requested file is exactly the same as the 'Document Root'.
  • If so, allow the file to be returned.
  • If not, return an error, since the request is clearly out of bounds from what the web-server should be allowed to serve.

See also

  • Chroot jails may be subject to directory traversal using if the chroot jail is incorrectly created. Possible directory traversal attack vectors are open file descriptors to directories outside the jail. The working directory is another possible attack vector.



External links

TOOLS: DotDotPwn - The Directory Traversal Fuzzer - [1]

Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Directory traversal — A directory traversal (or path traversal) is to exploit insufficient security validation / sanitization of user supplied input file names, so that characters representing traverse to parent directory are passed through to the file APIs.The goal… …   Wikipedia

  • Code injection — is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or inject ) code into a computer program to change the course of execution. The results of a code injection… …   Wikipedia

  • Vulnerability (computing) — In computer security, the term vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from weak passwords, software bugs, a computer virus or other malware,… …   Wikipedia

  • String exploits — Several implementation / design flaws are associated with string programming, some of those are associated with security exploits. Concatenation problems It is possible to cause String1 + User Input String + String2 to behave in unepected ways by …   Wikipedia

  • Code audit — A software code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions. It is an integral part of the defensive programming… …   Wikipedia

  • Secure input and output handling — Secure input (and output) handling are Secure programming techniques designed to prevent security bugs and the exploitation thereof. Input handling Input handling is how an application, server or system handles the input supplied from users,… …   Wikipedia

  • Nessus (logiciel) — Pour les articles homonymes, voir Nessus. Nessus …   Wikipédia en Français

  • Unix security — Unix security: maintaining a secure environment on Unix and Unix like operating systems is dependent on design concepts of these operating systems, but vigilance through user and administrative techniques is important to maintain security… …   Wikipedia

  • IPsec — Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each in a data stream. IPsec also includes protocols for cryptographic key establishment.… …   Wikipedia

  • Total Annihilation — Infobox VG title = Total Annihilation developer = Cavedog Entertainment publisher = GT Interactive designer = Chris Taylor engine = version = 3.1c released = September 30 1997 [… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”