Unikrn: Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename

2017-07-28T10:25:17
ID H1:254200
Type hackerone
Reporter sp1d3rs
Modified 2017-08-23T12:12:46

Description

Thanks again @sp1d3rs, also for the summary. Nothing to add from our side except maybe for the wish for more reports having this quality.

Final comment: nothing from that bucket was ever exposed to any user except the uploader, also nothing in the bucket is there for real archiving purposes. I was able to escape from the unique directory (where the user's avatar is stored after uploading -https://unikrn-files.s3-eu-west-1.amazonaws.com/users/<userid>/<date>/<filename+params>) in the S3 bucket using ../ characters in the filename (for example, test../../../../../../test.jpg) on the https://unikrn.com/apiv2/user/upload endpoint. It was possible to upload arbitrary files to the any other directory, and also overwrite existing files (which could belong to other users) and resources.

Reproduction steps

1) Login to your profile on https://unikrn.com/profile 2) Start the Web Debugger 3) Upload any image as avatar and intercept the request to the https://unikrn.com/apiv2/user/upload 4) Change the filename in the request to the { "filename": "test2../../../../../../test2.jpg", "type": "image/jpeg", "reason": "image/*", "session_id": "<session>" } 5) Execute the request. 6) You now have test2.jpg in the root of your bucket.

Usually arbitrary file upload in the S3 bucket does not pose much risk, but not in the case when the attacker with no permissions is able to escape from the isolated directory, and affect/overwrite other files, which supposed to be not accessible for him.

The issue was fixed using filename sanitization, and i didn't find the way to bypass it. Thanks to the Unikrn team for the fast response, fix, and the bounty!