Skip to content

Directory traversal vulnerability exists in uploaded and downloaded files #48

Closed
@marckwei

Description

@marckwei

Directory traversal

Through code audit, it is found that the file download function in flamingo has a problem with directory traversal. Through this vulnerability, files can be downloaded anywhere on the server through the directory.

Test environment

mysql> select version(); 
+-------------------------+ 
| version()        | 
+-------------------------+ 
| 5.7.32-0ubuntu0.16.04.1 | 
+-------------------------+ 
1 row in set (0.02 sec) 

Vulnerability analysis

Flamingo is a C/S mode communication software.User A sends the file to user B. The server saves the file in A specific folder of the server and waits for User B to receive it. After User B sends the receive request, the server sends the corresponding file to user B.

When uploading files, use the result of file md5 encoding as the file name (unfortunately, the encryption process is on the client side).

The base directory of the cache file is hard-coded in the configuration file, and the corresponding file path is directly spliced ​​through the base directory and the md5 result. The file has no identification for a specific user, all files exist together, and there is no distinction between different users (that is, the server does not know who the file belongs to, and it can be downloaded as long as the correct file path is provided to the server).

Poc

From the simple analysis above, it can be seen that this file transfer function has a lot of security issues. Only the most serious problems are demonstrated here.

It can be seen from the declaration of the onDownloadFileResponse function in FileSession.cpp

string filename = m_strFileBaseDir;
filename += filemd5;
m_fp = fopen(filename.c_str(), "rb+");

Since the download path is directly spliced ​​by the base directory and the md5 result, as long as the file name can be controlled, the file name of the form ../../../pwd.txt can be used to achieve directory traversal and download any file .

Flamingo's problem is that MD5 encryption is done on the client side, and because the communication protocol is open source, it is easy to forge.

Find the location where the client sends the download command and tamper with the file name.

Add the following statement to the filetaskThread.cpp

image

2
3
4

During the test, it is found that when the tampered file path does not exist, the server will first create the file, then write the contents of the sent file, and then download it for the recipient.So using this vulnerability can also achieve arbitrary location write (can be multi-level directory traversal).

5

Send the file again here.The file is written on Desktop.

6

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions