tags:

views:

589

answers:

4
+2  Q: 

Using directory traversal attack to execute commands

Is there a way to execute commands using directory traversal attacks?

For instance, I access a server's etc/passwd file like this

http://server.com/..%01/..%01/..%01//etc/passwd

Is there a way to run a command instead? Like...

http://server.com/..%01/..%01/..%01//ls

..... and get an output?

EDIT: To be clear here, I've found the vuln in our company's server. I'm looking to raise the risk level (or bonus points for me) by proving that it may give an attacker complete access to the system

A: 

Unless the web server is utterly hideously programmed by someone with no idea what they're doing, trying to access ls using that (assuming it even works) would result in you seeing the contents of the ls binary, and nothing else.

Which is probably not very useful.

Anon.  2010-02-14 21:28:51
A: 

Edit#2: I have edited out my comments as they were deemed sarcastic and blunt. Ok now as more information came from gAMBOOKa about this, Apache with Fedora - which you should have put into the question - I would suggest:

  • Post to Apache forum, highlighting you're running latest version of Apache and running on Fedora and submit the exploit to them.
  • Post to Fedora's forum, again, highlighting you're running the latest version of Apache and submit the exploit to them.
  • It should be noted, include the httpd.conf to both of the sites when posting to their forums.
  • To minimize access to passwd files, look into running Apache in a sandbox/chrooted environment where any other files such as passwd are not visible outside of the sandbox/chrooted environment...have you a spare box lying around to experiment with it or even better use VMWARE to simulate the identical environment you are using for the Apache/Fedora - try get it to be IDENTICAL environment, and make the httpd server run within VMWare, and remotely access the Virtual machine to check if the exploit is still visible. Then chroot/sandbox it and re-run the exploit again...
  • Document the step-by-step to reproduce it and include a recommendation until a fix is found, meanwhile if there is minimal impact to the webserver running in sandbox/chrooted environment - push them to do so...

Hope this helps, Best regards, Tom.

tommieb75  2010-02-14 21:31:06
@gamBOOKa: check here http://stackoverflow.com/questions/1547012/where-hackers-hang-out
tommieb75  2010-02-14 21:45:29
Please see edited question. It clarifies my position. I'm not a security person, in fact, our company does not have one. So I would like to get this issue fixed. My project manager is likely to disregard a read-only access vulnerability as opposed to a complete-access one.
gAMBOOKa  2010-02-14 21:46:30
@gAMBOOKa: Wow! A vulnerability - what kind of server are you running under for that to happen - Show your boss this page on SO and point your finger at this to see....unless you tell us what server...we perhaps may be able to help you...I think you should put that in your question, that your server is running software x. You will get a better response.... ;) If it's serious, your project manager SHOULD BE LISTENING TO YOU and not dismissing this as a 'read-only access vulnerability'.....
tommieb75  2010-02-14 21:51:10
The directory traversal attack exists deep within an open source product we use. It's not a stupid SysAdmin issue. We run the latest version of Apache on Fedora btw.Exploiting our web server would at the very least hand over passwd and shadow file to the attacker as well as expose our source code to them.
gAMBOOKa  2010-02-14 21:56:54
I wonder what your boss would say if someone exploited this, and you said "Oh, I knew about this ages ago but I didn't tell anyone because I wanted to trump up how severe it was first".
Anon.  2010-02-14 22:00:38
@gAMBOOKa: Ok! I'll re-edit my answer accordingly - I have to take my hat off to you for finding that vulnerability and apologize for my sarcastic comments! What version of Fedora?
tommieb75  2010-02-14 22:02:44
Well, I'm telling my boss anyway. I was only hoping to escalate it. You could've spent half the time you did writing me responses guiding me, instead you couldn't get that head of yours out of that another-noob-hacker-on-SO-i-gotta-needlessly-screw-with mentality.
gAMBOOKa  2010-02-14 22:05:10
@gAMBOOKa: Please see my answer...and I apologize again, sincerely do!
tommieb75  2010-02-14 22:11:41
Thanks. I admire your modesty. As to your reply, that's sound advise. I will report to my manager, hopefully convincing him that read-only access is damage enough. I've got a spare box to test the exploit on. I wish I could tell you more about the exploit but I'm guessing it will need to be published under the company name. Once again, thank you for your time and I mean it.
gAMBOOKa  2010-02-14 22:17:26
@gAMBOOKa: No problem, glad to be of help, please post back to let us know how you got on... :)
tommieb75  2010-02-14 22:29:41
A: 

Yes it is possible (the first question) if the application is really really bad (in terms of security).

http://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution

cherouvim  2010-02-14 21:35:24
+1  A: 

If you are able to view /etc/passwd as a result of the document root or access to Directory not correctly configured on the server, then the presence of this vulnerability does not automatically mean you can execute commands of your choice.

On the other hand if you are able view entries from /etc/passwd as a result of the web application using user input (filename) in calls such as popen, exec, system, shell_exec, or variants without adequate sanitization, then you may be able to execute arbitrary commands.

mar  2010-02-14 21:52:46

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?