7

I'm trying to figure out if it is possible to traverse across drives or shares. If I have a path that is concatenated in a web application, where the prefix is a drive, such as this:

var path = "D:\" + Request.Params["directory"];

Is it possible to use special characters or any other methods to get a reference to the C:\ drive instead of D:\ drive? I've tried pipes (|), semi-colons, URL-encoded nulls (%00), and several other things.

alecxe
  • 1,515
  • 5
  • 19
  • 34
joelvh
  • 173
  • 1
  • 4
  • welcome to IT Security! "How to exploit" smells like a black-hat question, which is not in scope for IT Security. (If you were asking whether it is OK to use this code, that would be in scope, but I think we don't need to know how to exploit it to know the answer to that question.) – D.W. Aug 02 '11 at 20:13
  • You're right, the question stems from an application assessment. What I'm basically trying to confirm is that it is NOT possible to get to the C:\ drive and access sensitive files. – joelvh Aug 03 '11 at 19:01

2 Answers2

4

In your example, I don't believe traversing to a different drive is possible solely through directory traversal (e.g. ..\..\..\windows\system32).

The most plausible way for an attacker to exploit this may be through a hard/symbolic link which points to somewhere on the C: drive.

If you were then using the path variable as an argument to a command (that is, shelling out) there may be other problems.

outside
  • 41
  • 1
  • 1
    I think the link you're looking for is something along the lines of `%windir%`. Also, depending on what utility is handling the `path` variable, switches or other parameters can be sent to it that will allow you to change the drive letter. Example, you could go from `D:\ ` directly to `C:\Program Files\ ` on a Windows box with `cd /d "C:\Program Files\"` in a command prompt. – Iszi Jul 29 '11 at 00:58
  • 4
    Perhaps of interest: I just jumped from `D:\ ` to `C:\Program Files\ ` at a command prompt with `cd /d "%windir%\..\Program Files\"` – Iszi Jul 29 '11 at 01:03
  • Thanks for that Iszi, I missed the '/d' switch, I didn't have a Windows machine available to play around. – outside Jul 29 '11 at 01:26
  • 2
    On windows anyway. 'nix systems where everything branches from a single root directory gives a new layer of security implications for this. – ewanm89 Jul 29 '11 at 10:50
4

I want to mention that, regardless of whether it is possible to traverse across drives, this code is insecure and should not be used.

For instance, it definitely allows path traversal within a single drive. It also allows access to certain special filenames that are implicitly linked into the namespace on every drive, such as CON, PRN, AUX, CLOCK$, NUL, COM0, .., LPT0, ...

D.W.
  • 98,420
  • 30
  • 267
  • 572