BusyBox Bug and Patch Tracking
BusyBox
Main | My View | View Issues | Change Log | Docs
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0001008 [BusyBox] Security major always 08-24-06 16:47 11-10-06 15:22
Reporter bug-finder View Status public  
Assigned To BusyBox
Priority normal Resolution fixed  
Status closed   Product Version 1.01
Summary 0001008: httpd file traversal vulenrability
Description the http daemon is vulenrable to a file traversal attack which can be easily exploited when a url encoded dot is used this can lead to total system compromise I have tested this with busybox 1.01 and i dont know if other versions are vulenrable.
Additional Information proof of concept:
http://attacked-host//%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd [^]
Attached Files

- Relationships

- Notes
(0001740)
vda
11-10-06 15:22

 Current svn is not exhibiting it. I think this code is guarding agains /../ attack:

                /* algorithm stolen from libbb bb_simplify_path(),
                         but don't strdup and reducing trailing slash and protect out root */
                purl = test = url;

                do {
                        if (*purl == '/') {
                                if (*test == '/') { /* skip duplicate (or initial) slash */
                                        continue;
                                } else if (*test == '.') {
                                        if (test[1] == '/' || test[1] == 0) { /* skip extra '.' */
                                                continue;
                                        } else if ((test[1] == '.') && (test[2] == '/' || test[2] == 0)) {
                                                ++test;
                                                if (purl == url) {
                                                        /* protect out root */
                                                        goto BAD_REQUEST;
                                                }
                                                while (*--purl != '/') /* omit previous dir */;
                                                continue;
                                        }
                                }
                        }
                        *++purl = *test;
                } while (*++test);
 

- Issue History
Date Modified Username Field Change
08-24-06 16:47 bug-finder New Issue
08-24-06 16:47 bug-finder Status new => assigned
08-24-06 16:47 bug-finder Assigned To  => BusyBox
11-10-06 15:22 vda Status assigned => closed
11-10-06 15:22 vda Note Added: 0001740
11-10-06 15:22 vda Resolution open => fixed
11-10-06 15:22 vda Fixed in Version  => 1.2.x

Copyright © 2000 - 2006 Mantis Group
Powered by Mantis Bugtracker