donderdag 29 november 2012

Directory traversal vulnerabilities in jsupload.cgi.pl


Summary


Since the glory days of rain forest puppy (http://insecure.org/news/P55-07.txt) I have not spent much time looking at Perl scripts.
Recently however, I was checking out the jsupload.cgi.pl script and discovered two directory traversal vulnerabilities. Versions prior to version number 0.6.4 are vulnerable.

More information about the script can be found here:
http://code.google.com/p/gwtupload/wiki/JsUpload_Documentation#Server_script_(jsupload.cgi.pl)


Directory traversal when reading files


When the script receives a HTTP non-POST request with a value for the parameter "show", the function "writeItemContent" gets called with that value.



In the function "writeItemContent", the user input is used to construct a filename. The contents of the file is then returned to the user.



From the code above, we learn that a remote user has complete control over the $item variable.
This makes it possible to break out of the upload directory by using a slide of "../" characters and ready any file on the system.
By using a poison NULL byte at the end of our file name, it is possible to specify a file extension other than ".bin".

As a result, the following request will return the contents of the /etc/passwd file to a remote user:

GET /cgi-bin/jsupload.cgi.pl?show=../../../../../../../../etc/passwd%00


Directory traversal when writing files



A similar vulnerability is present when uploading files using a POST request.
When the script receives a POST request, the "doPost" function is called.
Within that function, the "saveFile" function is called with the $key variable as a parameter.
This variable is the name of the parameter specified in our POST request.



In the "saveFile" function, the parameter name is used to construct a filename and write to that file.



Because the Perl script uses a ">" character in front of the file name, it is not possible to use the poison NULL byte technique to specifiy our own file extension. As a result, it is only possible to write files with the ".info" and the ".bin" extension to any location on the system.

The following request will upload the file "pwnani.bin" and "pwnani.info" to the root directory on the remote server.





Recommendation

Versions 0.6.4 and before are vulnerable to the attacks described in this post.
The vendor has been contacted about this vulnerability and has issued a new patched version of the script which can be found at: http://code.google.com/p/gwtupload/source/browse/jsupload/src/main/java/jsupload/public/jsupload.cgi.pl