Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-32061: Path Traversal via dump of malicious bucket #122

Closed
sa7mon opened this issue Nov 28, 2021 · 0 comments · Fixed by #121
Closed

CVE-2021-32061: Path Traversal via dump of malicious bucket #122

sa7mon opened this issue Nov 28, 2021 · 0 comments · Fixed by #121
Labels
bug

Comments

@sa7mon
Copy link
Owner

sa7mon commented Nov 28, 2021

tl;dr

In version 2.0.1 and older of S3Scanner, if a user attempts to dump the contents of a bucket which contains objects with special characters in their keys, those characters can be used to save the files outside of the folder specified with --dump-dir.

Thanks

I'd like to give a huge thanks to a security researcher named RyotaK for reporting this issue to me. They provided a detailed explanation and helped walk me through the steps to reproduce. Very excellent experience.

The Bug

The issue is what's commonly known as a "path traversal" vulnerability. In this case, though, it's the ability to save files outside the intended area as opposed to reading files.

For example: this bucket was created by RyotaK for demonstration purposes.

screenshot of an S3 bucket listing showing a key called '../' and '../test.txt'

See how the object keys contain ../ ? When S3Scanner goes to download that file, it concatenates the dump directory and this key to form the file path the file should get downloaded to. So if a user ran the following command:

s3scanner dump --dump-dir /projects/s3scanner/buckets/ --bucket s3scanner-test-bucket

they would end up with a file called test.txt in /projects/s3scanner/ which is one level up from where they wanted it. By adding a bunch of these characters together (../../../../../) an attacker could craft a malicious object key which would place their file anywhere on the S3Scanner user's system.

You may be surprised (like I was) to learn that AWS allows such characters in object keys. Their documentation explains that while you can do this, there are limitations:

...

In addition, be aware of the following prefix limitations:

  • Objects with a prefix of "./" must uploaded or downloaded with the AWS Command Line Interface (AWS CLI), AWS SDKs, or REST API. You cannot use the Amazon S3 console.

  • Objects with a prefix of "../" cannot be uploaded using the AWS Command Line Interface (AWS CLI) or Amazon S3 console.

In the "real world" the chances of an S3Scanner user encountering a bucket with these "malicious" keys is very low - especially considering I was not able to create such a bucket of my own. This threat poses a fairly low risk since the difficulty of pulling off the attack is a bit high and would only happen if a bad actor was purposely targeting users of this tool.

RyotaK has engaged MITRE who has reserved CVE-2021-32061 for this vulnerability. The CVE will be updated after this advisory has been posted.

Remediation

The good news is that I have already pushed the fix for this issue (#121). If an object to be downloaded has a key that would land outside of the --dump-dir, the file won't be downloaded. The user will get a message that looks like this:

Screenshot showing the command-line output of trying to dump the bucket referenced above which contains bad object keys. S3Scanner has skipped the files with relative path characters in their keys.

I'll be drafting the v2.0.2 release to push out this update across the git repo, PyPi package, and Docker image.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix path traversal bug sa7mon/S3Scanner
1 participant
@sa7mon