Blog | G5 Cyber Security

Directory Traversal: Beyond ../

G5 Cyber Security

TL;DR

Yes, other sequences can achieve directory traversal besides ../. This guide explains these methods for both *nix (Linux/macOS) and Windows systems, along with how to prevent them.

Understanding Directory Traversal

Directory traversal attacks exploit vulnerabilities where user-supplied input is used to construct file paths without proper validation. The goal is to access files or directories outside the intended root directory. While ../ is common, it’s not the only way.

*nix Systems (Linux/macOS)

  1. Absolute Paths: If your application allows users to specify a full path, they can bypass restrictions.
    • Example: Instead of expecting images/profile.jpg, an attacker might provide /etc/passwd.
  2. Relative Paths with Multiple Components: Using multiple ../ sequences can move up several directories.
    • Example: ../../../../etc/passwd
  3. Path Normalisation Issues: Some systems might not correctly normalise paths, leading to unexpected behaviour. This is less common now but worth knowing.
    • Symbolic links can be exploited if the application follows them without checking their destination.
  4. Encoded Paths: Attackers may use URL encoding (e.g., %2e%2e/ for ../) or other encoding schemes to bypass basic filters.
    • Example: An attacker might try images/%2e%2e/etc/passwd
  5. Globbing Characters: Wildcards like * and ? can sometimes be used to traverse directories, depending on the application’s handling.
    • Example: If an application allows images/*.jpg and doesn’t sanitise input, it might be possible to craft a malicious pattern.

Windows Systems

  1. Absolute Paths: Similar to *nix, providing a full path bypasses restrictions.
    • Example: Instead of expecting imagesprofile.jpg, an attacker might provide C:Windowssystem32driversetchosts
  2. Relative Paths with Multiple Components: Using multiple .. sequences.
    • Example: ../../../../Windowssystem32driversetchosts
  3. Short File Names (8.3 Filenames): Windows creates short names for long filenames. Attackers might try to use these.
    • Example: If a file is named verylongfilename.txt, its short name might be VERYLO~1.TXT.
  4. Encoded Paths: Similar to *nix, URL encoding or other encoding schemes can bypass filters.
    • Example: An attacker might try images%2e%2e%5cetchosts. Note the use of %5c for backslash.
  5. UNC Paths (Universal Naming Convention): Attackers can attempt to access network shares.
    • Example: \serversharefile.txt

Prevention Strategies

  1. Input Validation: The most important step! Never trust user input.
    • Whitelist Approach: Only allow specific characters and file extensions. Reject anything else.
    • Blacklist Approach (Less Reliable): Block known malicious sequences like ../, .., absolute paths, etc. This is harder to maintain as attackers find new ways around it.
  2. Path Normalisation: Use built-in functions to canonicalise the path before using it.
    • *nix: realpath() in C/C++, or equivalent functions in other languages.
    • Windows: GetFullPathName() in C/C++.
  3. Chroot Jails (Linux): Confine the application to a specific directory, preventing access outside it.
  4. Least Privilege: Run the application with the minimum necessary permissions.
  5. Regular Security Audits and Penetration Testing: Identify vulnerabilities before attackers do.
Exit mobile version