However, Java IO libraries hand off strings to the underlying OS, which in most cases uses ‘C’ engine for final processing. And the ‘C’ processor always rejects anything beyond the null byte character.
Here is almost real-world piece of code:
String txtFileNameVariable = "application.log";
String dirVariable = "./";
if (request.getParameter("dir")!= null && request.getParameter("dir").length()>0)
dirVariable = request.getParameter("dir")
String PathVariable = dirVariable + File.separator + txtFileNameVariable;
BufferedReader bufferedReader = new BufferedReader(new FileReader(PathVariable));
String dirVariable = "./";
if (request.getParameter("dir")!= null && request.getParameter("dir").length()>0)
dirVariable = request.getParameter("dir")
String PathVariable = dirVariable + File.separator + txtFileNameVariable;
BufferedReader bufferedReader = new BufferedReader(new FileReader(PathVariable));
If we manage to assign to the dirVariable wickedly crafted string with null Byte inside it, everything that goes after the null byte will go straight to nowhere, and the first part will be used to open a file we want.
I like this example:
dirVariable = "/etc/passw\0x00";
Now Java will calculate PathVariable as "/etc/passwd\0x00/application.log".
But FileReader – viola - will open "/etc/passw” file.
Another interesting point is how to pass null byte to Java using HTTP protocol.
To achieve that, an attacker can manipulate HTTP request and embed an HTTP ‘null byte’ equivalent:
So, dir in our example should be "/etc/passw%00", where '%00' is a URL-encoded null byte.
This obvious and well-known problem is confirmed to exist on almost every platform up to JDK 7 (exactly, Java 7u40)
Finally, in May 1013 Oracle fixed the issue: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846
If your production server uses Java 7u40 or later, only then you are safe and an exception will be thrown:
java.io.FileNotFoundException: Invalid file path
No comments:
Post a Comment