Summary
Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. In this case, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.
Details
The file handler function trusts the filename provided by the user. This includes the cases when the user uses a path instead of the filename. This makes possible to write arbitrary files to the system and replace the files owned by kuiper user on the filesystem. The vulnerable function is fileUploadHandler which is shown below:
|
func fileUploadHandler(w http.ResponseWriter, r *http.Request) { |
|
switch r.Method { |
|
// Upload or overwrite a file |
|
case http.MethodPost: |
|
switch r.Header.Get("Content-Type") { |
|
case "application/json": |
|
fc := &fileContent{} |
|
defer r.Body.Close() |
|
err := json.NewDecoder(r.Body).Decode(fc) |
|
if err != nil { |
|
handleError(w, err, "Invalid body: Error decoding file json", logger) |
|
return |
|
} |
|
err = fc.Validate() |
|
if err != nil { |
|
handleError(w, err, "Invalid body: missing necessary field", logger) |
|
return |
|
} |
|
if err := validate.ValidatePath(fc.FilePath); err != nil { |
|
handleError(w, err, "", logger) |
|
return |
|
} |
|
filePath := filepath.Join(uploadDir, fc.Name) |
|
err = upload(fc) |
|
if err != nil { |
|
handleError(w, err, "Upload error: getFile has error", logger) |
|
return |
|
} |
|
w.WriteHeader(http.StatusCreated) |
|
escapedContent := template.HTMLEscapeString(filePath) |
|
w.Write([]byte(escapedContent)) |
Exploitation of this vulnerability allows an attacker to rewrite the files owned by ekuiper including the main kuiper binaries as they are owned by kuiper user:
PoC
- The files should be uploaded to
/kuiper/data/uploads directory. So let's move to the /kuiper/data, examine the existing files and create an empty traversal-poc file owned by kuiper:
- Now, we can go to Services > Configuration > File Management and try to upload file with name
../test:
In the response we can see the path of the uploaded file and can assume that the traversal worked.
- Now we can try to change the
traversal-poc file that we know exists on the server. It can be made with the following request:
- Now, if we look at the server, we can see the file created in the traversed directory and the replaced poc-file:
Impact
- Possibility to upload files to external directories;
- Possibility to rewrite any file owned by kuiper user on the filesystem.
Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone
TheMostKnown Reporter
Summary
Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. In this case, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.
Details
The file handler function trusts the filename provided by the user. This includes the cases when the user uses a path instead of the filename. This makes possible to write arbitrary files to the system and replace the files owned by kuiper user on the filesystem. The vulnerable function is
fileUploadHandlerwhich is shown below:ekuiper/internal/server/rest.go
Lines 329 to 359 in 1e6b6b6
Exploitation of this vulnerability allows an attacker to rewrite the files owned by ekuiper including the main kuiper binaries as they are owned by kuiper user:
PoC
/kuiper/data/uploadsdirectory. So let's move to the/kuiper/data, examine the existing files and create an emptytraversal-pocfile owned by kuiper:../test:In the response we can see the path of the uploaded file and can assume that the traversal worked.
traversal-pocfile that we know exists on the server. It can be made with the following request:Impact
Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone