[WEB SECURITY] ../ filtered

Mike Duncan Mike.Duncan at noaa.gov
Wed Feb 17 15:06:45 EST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Beatriz, I think what Juan Carlos was referring too was the NULL
terminator being part of the attack...not the resulting transposed
characters. Some languages, mostly C-based ones, are susceptible to
seeing a NULL terminator and ending the processing of the string at that
point. So, if we pass...

../../../%00%2E/%2E/%2E/boot.ini

...the regular expression presumably checking the incoming string will
see everything up to the %00 (NULL terminator) and then pass the string
along within the application. It may convert the chars before but I
think what he was asking is if you see the characters afterward
converted as well.  If so, then this attack is not going to work really.
If not (and the NULL terminator may even get encoded) the appended
characters may get processed within the application as-is (i.e.
///?../../../boot.ini).

Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center
151 Patton Ave.
Asheville, NC 28801-5001
mike.duncan at noaa.gov
828.271.4289


Beatriz Duran wrote:
> It gets transformed into: �
> 
> 
>  
> I Have Learned So much from God That I can no longer Call Myself A
> Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so
> much of Itself With me That I can no longer call myself A man, a woman,
> and angel Or even pure Soul. Love has Befriended Hafiz so completely It
> has turned to ash And freed Me Of every concept and image My mind has
> ever known. –Hafiz, Persian poet (1315 – 1390)
> 
> 
> ------------------------------------------------------------------------
> *From:* "Calderon, Juan Carlos (GE, Corporate, consultant)"
> <juan.calderon at ge.com>
> *To:* Beatriz Duran <beatrizdrn at yahoo.com>; websecurity at webappsec.org
> *Sent:* Wed, February 17, 2010 8:33:30 AM
> *Subject:* RE: [WEB SECURITY] ../ filtered
> 
> What about the null character? does it breaks the string or it is passed
> to the OS?
>  
> Regards,
> Juan Carlos
> 
> ------------------------------------------------------------------------
> *From:* Beatriz Duran [mailto:beatrizdrn at yahoo.com]
> *Sent:* Martes, 16 de Febrero de 2010 04:16 p.m.
> *To:* websecurity at webappsec.org
> *Subject:* Re: [WEB SECURITY] ../ filtered
> 
> The vertical tab is converted to space so you get something like "/. ./"
> does not exist.
> 
> folder=c:\ or folder=/etc/ would not work because the there is a
> prefixed root so you would get something like: /rootdirectory/etc
> doesn't exist.
> 
> 
> 
> 
>  
> I Have Learned So much from God That I can no longer Call Myself A
> Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so
> much of Itself With me That I can no longer call myself A man, a woman,
> and angel Or even pure Soul. Love has Befriended Hafiz so completely It
> has turned to ash And freed Me Of every concept and image My mind has
> ever known. –Hafiz, Persian poet (1315 – 1390)
> 
> 
> ------------------------------------------------------------------------
> *From:* "Calderon, Juan Carlos (GE, Corporate, consultant)"
> <juan.calderon at ge.com>
> *To:* Beatriz Duran <beatrizdrn at yahoo.com>; Shlomi Narkolayev
> <shlominar at gmail.com>; websecurity at webappsec.org
> *Sent:* Tue, February 16, 2010 10:18:18 AM
> *Subject:* RE: [WEB SECURITY] ../ filtered
> 
> I have two more rare cases that might help, I have seen these only a
> couple of times
>  
> 1. Use a null char or a vertical tab between the .., it might bypass the
> filter but the OS interpret it correctly, this works in some windows
> systems, but not sure on Linux
> 2. try absolute paths "folder=/etc/", it is kind of obvious, but I have
> see it working a couple of times when logic detects if it is absolute
> and pass it as is
>  
> Regards,
> Juan Carlos
> ** 
> 
> ------------------------------------------------------------------------
> *From:* Beatriz Duran [mailto:beatrizdrn at yahoo.com]
> *Sent:* Martes, 16 de Febrero de 2010 08:40 a.m.
> *To:* Shlomi Narkolayev; websecurity at webappsec.org
> *Subject:* Re: [WEB SECURITY] ../ filtered
> 
> Shlomi,
> 
> I tried those already; but they and the ones with ".." are rejected, the
> variable is verifying the string before running it and with the
> combination:
> 
> %252e%252e/FILENAME happens this:
> 
> viewfiles.php?folder=%252e%252e/
> 
> The 25s are removed, the so the %2e%2e are left but transformed in pure
> text so the page reports that the directory %2e%2e doesn't exist; but if
> I apply purely  viewfiles.php?folder=%2e%2e/ the page reject them and
> say .. are not allowed.
> 
> 
> 
> 
> 
>  
> I Have Learned So much from God That I can no longer Call Myself A
> Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so
> much of Itself With me That I can no longer call myself A man, a woman,
> and angel Or even pure Soul. Love has Befriended Hafiz so completely It
> has turned to ash And freed Me Of every concept and image My mind has
> ever known. –Hafiz, Persian poet (1315 – 1390)
> 
> 
> ------------------------------------------------------------------------
> *From:* Shlomi Narkolayev <shlominar at gmail.com>
> *To:* beatrizdrn at yahoo.com; websecurity at webappsec.org
> *Sent:* Tue, February 16, 2010 12:41:16 AM
> *Subject:* RE: [WEB SECURITY] ../ filtered
> 
> Try these:
> ..%5c..%5cFILENAME
> %2e%2e\%2e%2e\FILENAME
> ..%c0%af..%c0%afFILENAME
> ..%255c..%255cFILENAME
> %252e%252e/FILENAME
> ..%2f..%2fFILENAME
> ..%252f..%252fFILENAME
> 
> 
> Soon I'll upload to my blog <http://narkolayev-shlomi.blogspot.com/> new
> 1400 variants for directory traversal.
> 
> Kind Regards,
> Narkolayev Shlomi.
> 
> 
> /*From:*// Beatriz Duran [mailto:beatrizdrn at yahoo.com
> <mailto:beatrizdrn at yahoo.com>]
> *Sent:* Monday, February 15, 2010 9:43 AM
> *To:* websecurity at webappsec.org <mailto:websecurity at webappsec.org>
> *Subject:* [WEB SECURITY] ../ filtered/
> 
>  
> 
> Hi, I need to find a vulnerability in a url that could be exploited for
> directory traversal and LFI; the page is working with PHP but it is
> filtering /../ and also /%2e%2e/, because the pace is  using ISO for
> Latin characters I can't use unicode extended because it reinterpret
> with other values; is there another way to work around the filter?
> 
>  
> 
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt8TFQACgkQnvIkv6fg9hZhRwCfQCoLqJ7gxo6nmUclab4mcFb7
AzEAn3p1Q7OKSd8xUk4AtiEWd+kXEYud
=EOO5
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list