Using directory traversal attack to execute commands
Solution 1
If you are able to view /etc/passwd as a result of the document root or access to Directory not correctly configured on the server, then the presence of this vulnerability does not automatically mean you can execute commands of your choice.
On the other hand if you are able view entries from /etc/passwd as a result of the web application using user input (filename) in calls such as popen, exec, system, shell_exec, or variants without adequate sanitization, then you may be able to execute arbitrary commands.
Solution 2
Chroot on Linux is easily breakable (unlike FreeBSD). Better solution is to switch on SELinux and run Apache in SELinux sandbox:
run_init /etc/init.d/httpd restart
Make sure you have mod_security installed and properly configured.
HyderA
Updated on June 05, 2022Comments
-
HyderA almost 2 years
Is there a way to execute commands using directory traversal attacks?
For instance, I access a server's
etc/passwdfile like thishttp://server.com/..%01/..%01/..%01//etc/passwdIs there a way to run a command instead? Like...
http://server.com/..%01/..%01/..%01//ls..... and get an output?
To be clear here, I've found the vuln in our company's server. I'm looking to raise the risk level (or bonus points for me) by proving that it may give an attacker complete access to the system
-
t0mm13b about 14 years@gamBOOKa: check here stackoverflow.com/questions/1547012/where-hackers-hang-out
-
HyderA about 14 yearsPlease see edited question. It clarifies my position. I'm not a security person, in fact, our company does not have one. So I would like to get this issue fixed. My project manager is likely to disregard a read-only access vulnerability as opposed to a complete-access one.
-
t0mm13b about 14 years@gAMBOOKa: Wow! A vulnerability - what kind of server are you running under for that to happen - Show your boss this page on SO and point your finger at this to see....unless you tell us what server...we perhaps may be able to help you...I think you should put that in your question, that your server is running software x. You will get a better response.... ;) If it's serious, your project manager SHOULD BE LISTENING TO YOU and not dismissing this as a 'read-only access vulnerability'.....
-
HyderA about 14 yearsThe directory traversal attack exists deep within an open source product we use. It's not a stupid SysAdmin issue. We run the latest version of Apache on Fedora btw. Exploiting our web server would at the very least hand over passwd and shadow file to the attacker as well as expose our source code to them.
-
Anon. about 14 yearsI wonder what your boss would say if someone exploited this, and you said "Oh, I knew about this ages ago but I didn't tell anyone because I wanted to trump up how severe it was first".
-
t0mm13b about 14 years@gAMBOOKa: Ok! I'll re-edit my answer accordingly - I have to take my hat off to you for finding that vulnerability and apologize for my sarcastic comments! What version of Fedora?
-
HyderA about 14 yearsWell, I'm telling my boss anyway. I was only hoping to escalate it. You could've spent half the time you did writing me responses guiding me, instead you couldn't get that head of yours out of that another-noob-hacker-on-SO-i-gotta-needlessly-screw-with mentality.
-
t0mm13b about 14 years@gAMBOOKa: Please see my answer...and I apologize again, sincerely do!
-
HyderA about 14 yearsThanks. I admire your modesty. As to your reply, that's sound advise. I will report to my manager, hopefully convincing him that read-only access is damage enough. I've got a spare box to test the exploit on. I wish I could tell you more about the exploit but I'm guessing it will need to be published under the company name. Once again, thank you for your time and I mean it.
-
t0mm13b about 14 years@gAMBOOKa: No problem, glad to be of help, please post back to let us know how you got on... :)
