PLEASE SEE LFI/RFI ATTACKS FOR A BETTER UNDERSTANDING

Directory Traversal:

Directory traversal is an attack where the attacker tricks the web application into breaking out of the /var/www/ or the C:\inetpub\wwwroot in the, Linux and Windows operating systems. This can be simple as executing a file such as cmd to interpert commands, or even include files such as the /etc/passwd file, or other system files in the windows operating system.

The attack is performed with web applications which retrieve contents from a dynamic web schematic. Directory traversal attacks can generate an immense amount of information gathering on the server alone. This can be IP address schemes from the windows end utilizing cmd.exe and ipconfig / all to reading system files, and even obtaining files from the system such as /etc/passwd on the Unix end. There will be a section of countermeasures located at the end of this document, however we will be focusing more and more on the attacks themselves rather than the defense.

Finding The Vulnerability:

Finding a vulnerability in a web application for directory traversal can be quite simple. However the attack can grow in complexity depending upon what functions an attacker is attempting to achieve. The attacks also depend deeply upon the operating system as well. As stated previously the attacks can be as simple as vewing system files and gathering information from those documents, or settings to executing command prompts to perform other functions.

As pointed out before, web applications which load dynamic information such as a php page can be a dead give away as to where you should be looking for such attacks. The following is an example of how to mitigate a simple attack

http://vulnerablesite.com/view.asp?=1930.html

Although the example doesn't look like much, the URL parameter can be changed at will to reflect another resource. And, if the web application or security settings are misconfigured, an attacker can view more than just HTML pages (The blind SQL Injection paper will cover additional attacks utilizing this type of attack as well). Simply replacing the 1930.html page with the following:

http://vulnerablesite.com/view.asp?=../../../../../windows/system.ini

Replacing the html page with the information presented in red, to a web application which is vulnerable to such an attack will return the system.ini file of the windows system. Although the attack is not so exclusive to the windows operating system, you can also launch the attack against a Linux / Unix based operating system to reflect the users on the remote end for cracking. In order to attack a Lin based machine, you can enter the following: ../../../../../etc/passwd. Entering this information will display the users associated with that remote Linux system. One rule of thumb which should be applied when performing such a test, and if successful is DO NOT go for the root account. Many systems which run SSH will have root disabled. Launch the attack against user accounts, then attempt to su to the root account. Doing an attack directly against a root account in some cases be a rat race to nothing at all.

The microsoft windows portion to the attack can be found by executing the following (from a scripts directory and possibly from outside the scripts directory):

http://vulnerableserver.com/scripts/..%5c../windows/system32/cmd.exe?/c+dir+c:\

What this will do is dump the entire contents of the C:\ directory to the attacker. Another method which can be used, can be done to obtain IP addressing schemes of the internal network. You can mitigate this type of attack by performing the following: http://vulnerableserver.com/scripts/..%5c../windows/system32/cmd.exe?/ipconfig+/all This will dump the addressing to the system and display all adapters to the remote end, including IP addresses internal and internet facing. As it is displayed with the %5c escape sequence, do not limit yourself to a few escape sequences. Play around with the escape sequence listings to see which work best. There were a few patches which were released in regards to directory traversal with the ../ directives removed, and tightened to the %5c directives. Know the escape sequences and assert which ones will work best for you. NEVER limit yourself to trying only one escape sequence or technique.

Other techniques which can be launched against a server are other types of encoding. The encoding can be performed as follows:

When speaking of dynamically generated pages, one must also look to CGI, JSP and ASP pages. The requests to look for are POST and GET commands from the web document. Deeply depending on the operating system being tested, you will need some knowledge of where the web root is. Also, knowing where to find specific files to the system is also key. If your web root exists in /var/www/ your directory traversal attack would be entered as follows: ../../etc/passwd. If the remote end is utilizing some form of virtualization, this changes the ballgame completely. Testing with ../ and then ../ and adding another until the file is hit is also helpful. If after 8 or 9 trailing dot-dot-slashes nothing happens; this could mean the web application is not vulnerable.

It is also possible to determine the code of certain files (cgi) by entering the following command, an attacker can view the code utilized in CGI requests and pages: http://vulnerablesite.com/cgi-bin/cgidoc.cgi?home=cgidoc.cgi

Countermeasures:

To defend against this type of attack, please see the security settings in the Input Field Validation, and the Directory Traversal Defense papers for more information. Another approach is to always remain updated with your web server, and install the latest security patches provided by your web vendor, or your operating system.

PLEASE SEE LFI/RFI ATTACKS FOR A BETTER UNDERSTANDING