4

I have a binary that does this:

if (strstr(USERCONTROLLERSTRING, "..")) exit;
fopen(CurrentPath+"\\Data\\"+USERCONTROLLEDSTRING, "r");

then spits out all the content of the file. Is there any obvious vulnerability here?

Its a Windows service, it runs as SYSTEM, I'm trying to make it read sensitive files such as SAM or maybe some other vulnerability.

It only checks for ".." and it appends user provided arbitrary string to CURRENTPATH+"\\Data\\" then calls fopen

P.S. Encoding, unicode, base64, %-coding, etc won't work as it does the strstr right before fopen call after all the decoding. But that's pretty much it, no other checks are done

P.P.S. Its a Windows EXE

JohnDoes
  • 193
  • 6
  • nothing jumps out, but it good to have a hard-coded ending to the path, like `.jpg`, when possible. i might also validate a little more, to make sure that there's at least one dot (a file path) for example. – dandavis Jul 18 '18 at 16:10
  • @dandavis thank you. I'm not trying to patch it or write a secure code, the opposite, during a pentest, I came across this tiny webserver and trying to see if I can exploit it somehow. So you think the code is secure/safe? – JohnDoes Jul 18 '18 at 16:43
  • Does the attacker have the ability to create the win equiv of a symlink? – Jonah Benton Jul 18 '18 at 17:12
  • If this is running on Windows, there's a lot of [wacky tricks](https://sec-consult.com/en/blog/2018/06/pentesters-windows-ntfs-tricks-collection/) you can use on NTFS to cause unexpected results. Also, if the Data directory has any directory junctions, all bets are off. Ditto for if the user is allowed to create junctions/symlinks in the Data directory. – Mr. Llama Jul 18 '18 at 20:05
  • @JonahBenton I tried, since the service is in Program Files, low priv user can't create symlink or folder in that "Data" folder. – JohnDoes Jul 19 '18 at 01:56

1 Answers1

1

Windows documentation includes a section regarding Security Considerations: International Features that may be worth a read, specifically involving Unicode normalization.

To answer your question: in a vacuum, assuming the user has no access to the system other than through your program, your code is fine.
That said, if an attacker has access to certain features, such as creating symbolic links/directory junctions, then it could be possible to bypass your security check. They would simply need to create a directory junction inside the \Data directory that points elsewhere, then access files through the junction instead.

Additionally, keep in mind that the attacker may have control over the variable you have labeled as CurrentPath. In Windows, you can run a program with a specified working directory even if that directory isn't the one the executable resides in. Combined with directory junctions, if there exists any location that the attacker can create a directory junction, they can potentially exploit your program.

Lastly, it may be worth noting that NTFS has some pretty niche features. On top of that, Windows supports multiple file and directory naming schemes. I'm not certain if any of these are directly exploitable in this situation, but they're worth keeping in mind.

Mr. Llama
  • 654
  • 3
  • 8