Early October, a path traversal vulnerability was reported to be affecting Apache and to be exploited in the wild (CVE-2021-41773). Shortly after CVE-2021-42013 was reported as the fix for the previous CVE wasn’t sufficient.
So, what is directory or path traversal and how does it work?
When changing directories using the command line on Windows or Linux, the cd command is commonly used. For example, in Windows, to change to the directory C:\Users\tarek\Desktop you can run the following in your terminal cd C:\Users\tarek\Desktop
Notice that the prompt has changed to indicate where the current working directory is (C:\Users\tarek\Desktop)
If we wanted to go “up” one directory, that is change from Desktop to tarek, the following command can be issued: cd ..
The dot-dot means go “up” one directory and you will notice that the current working directory has changed to C:\Users\tarek
The basis of directory traversal (also known as path traversal), is when a web application is misconfigured, allowing an attacker to do something similar to the above. In effect, the attacker is able to escape the web application directory and read files in other directories on the system.
Escaping The Web Application Directory
In the below example, the web application is hosted on a Linux machine and resides in the directory: /var/www/html/dvwa
Notice the index.php page under the dvwa directory. This is the main page of our application.
Inside the hackable directory, there is another directory called fi. And inside that directory there are some web pages that are vulnerable to directory traversal.
From inside the “fi” directory, if we were to walk up to read the contents for a file named passwd it will look like this
Alternatively, a faster way will be executing the command in one line as such.
And this is the basis of directory/path traversal.
Directory Traversal in Web Applications
Let us take the example of a vulnerable website of some bank. The website content includes a photo.jpg file under /var/www/html/images on the web server. The image file can be accessed, by pointing a web browser to the following link.
However, it happens that this website is vulnerable to directory traversal. For an attacker to be able to read other files in the system, she will have to go “up” three levels by using ../ three times. This will allow her to read other files present on the system that are outside the web directory.
The link to abuse the vulnerability will look as such.
And this what you see being used to exploit the vulnerability. In a blog post from Qualys demonstrating the exploit, an HTTP GET request was used as such:
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd HTTP/1.1
The %2e is URL encoding for the dot which is used to bypass the check for dot-dot. And when successful, this allows for reading the content of the /etc/passwd file and other files on the system.
I hope this clarifies the concept of directory/path traversal.
For any questions, comments or feedback, don’t hesitate to get in touch.
Qualys blog post: https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013