The hacker, the photographer and the rival: Path Traversal

Artbit is an online social network where users can register for free and upload their own digital pictures in order to share them with the world and get popularity. To attract more visitors, the creators of the social network have launched a challenge on their platform which will reward the user who will upload the best picture. Any user can join the competition by simply signing up on the platform and uploading his or her own best pictures through an appropriate friendly user interface. After the competition deadline, the user owning the picture that received more likes will be proclaimed winner. Therefore, users from all over the world have signed up to participate in the contest and have already uploaded all sorts of images hoping to attract as many likes as possible. The current ranking is always clearly visible on the website’s homepage and shows the top four pictures along their artist and the number of received likes. You can also try yourself 🙂

The story of the hacker, the photographer and the rival

Among these participants, there is also Carol, a beginner photographer but with great ambitions. Carol is a second year high school student, she lives a normal life spending her time with other girls of her same age and following her passions during her spare time. She also loves reading books and likes taking pictures of that landscapes resembling the locations where she imagines her novels could take place.

Carol’s photo

Carol, after an exhaustive research among the many pictures she took during her life, she chooses a picture depicting a frozen castle she visited during her last trip in Harbin, a city situated in the north-east of China in a region called Heilongjiang. The city is also known for its extremely cold temperatures with low peaks of less than -30 degrees during the coldest months. Its long and cold winter pushed local artists to challenge themselves in building impressive sculptures made out of ice with the most creative ones arriving erecting entire buildings using only blocks of ice. Carol was attracted by that image since it is similar to how she imagined a castle described in one of the many fairy tales her mum used to read her during her childhood.

Frozen castle at Harbin Ice and Snow World.
This is Carol’s photo

Afterwards, she signs up on the Artbit platform and officially joins the competition uploading her picture through the website upload interface.

Carol while uploading her picture

After a few days, her picture has already climbed the ranking achieving an impressive first place with a total of 2885 likes.

Artbit current ranking with Carol on the first place

Carol is very happy about her results and immediately shares her amazing performance with her friends to show them the success her picture got so far.

As you can see, news spread very quickly

Alice the mood breaker

undefined In fact, the news of Carol’s success reached also the phone of her rival, Alice. Alice, beside being the ex-girlfriend of Bob, she is also an expert photographer. Winning photographic competitions is part of her daily routines and she thinks to be a magnet attracting success from any activity she takes part. Moreover, she has just come back from her holiday in Puglia, a coastal region situated in the south of Italy, bringing back also a rich payload of amazing pictures. Puglia is a quite warm region where summer lasts for most of the year, thus making it perfect to have long seaside seasons as well as offering typical Mediterranean landscapes and villages. As soon as she reads the news, she immediately signs up on the Artbit platform and puts into the competition a perfect photographic shot she took at Alberobello, a small city famous for its particular habitations called “Trulli”.

Typical buildings in Alberobello called “Trulli”.
This is Alice’s photo

A couple of days after her upload, a rain of likes has already flooded her account reaching an astonishing amount of 15783 likes, and of course, placing her on the first position surpassing Carol.

Now is Alice dominating the ranking of Artbit

Her success is also accompanied by streams of comments praising both her skills and her wonderful location.

Alice’s image is receiving a lot of comments praising her success

Carol gets depressed at the view of the first place getting far away from her, but things gets even worse when she finds out that her number one rival owned the top-one picture. As the days go on, the gap between her likes and Alice’s ones keeps enlarging while her last hopes keeps vanishing like Harbin’s ice left under the hot sun of Puglia. As the situation gets worse, she decides to play her trump card: letting her friend Heike solve the situation.

Heike’s plan

undefined Carol, not having any other choice, remembers she has a friend, Heike, who has always been able to solve many of his problems taking advantage of his advanced computer science skills. Heike is an expert of computer science and hacking, moreover, website hacking is one of his favorite skills. Website hacking means exploiting code vulnerabilities to alter or manipulate a website’s content or its database.

Carol explains her problem to his trusted friend, Heike. They have to find a way to make Alice lose some of her likes or at least preventing them to grow too much. It’s seems a quite hard task, but Heike, after thinking over for a while, immediately comes up with a solution. He claims to be able to replace Alice’s picture with another one (a bad one) at his choice with the goal of repelling other users from giving likes to her.

You may belive this is impossible, how can Heike manipulate the social network replacing someone’s else picture with one of his own?

Here is Heike’s solution:

Path reversal attack

Heike is going to alter the content of the website through a path reversal attack. The logic behind the trick is the following: when we upload a picture on the website, it will be stored in a specific directory of the server hosting the website. The path of this directory is composed by a fixed part and a variable part which depends on the account’s attributes such as its username and name of the uploaded image. Hence, if the name of the image that we are going to upload contains a valid path inside its name (i.e. \directory1\directory2\my_image.jpeg), a malicious user may instead upload its image in any position, eventually overriding an existing one (i.e. a picture is already present at the path \directory1\directory2\my_image.jpeg).

To begin with, let’s start exploring the structure of the directory tree of the website and find out where are actually stored the uploaded pictures. To do so, let’s click on any picture in the gallery on in the homepage to be addressed to another page showing its details such as author, description, likes and so on. In this example I let’s use the picture Lone Wolf owned by the user Noctis which can also be directly opened with the following link.

Details page of the Lone Wolf image

Next, let’s open the inspection tool of our browser (right click, then select Inspect or Inspect Element depending on your browser) to locate the path where the image is stored. If everything goes smoothly we should find a Html command looking like the following.

<img id="myimage" src="Images/Art/Noctis/Lone%20Wolf.jpeg" alt="Lone Wolf">

Understanding Html is not required for this task since it is evident that the string src="Images/Art/Noctis/Lone%20Wolf.jpeg shows us the path where Noctis‘ image is located (the %20 that is commonly seen in URLs is just a way to represent a space). We could also repeat the same operation on other images to discover that the pattern is always the same: Images/Art/Username/ImageName.jpeg

The next step consists in signing up or logging into the website and moving to the upload page. Now we have to pay attention to the name we are going to give to our image. Normally, out image would be stored at the location Images/Art/MyUsername/. Thus, we have to go back of one directory using the ../ string and then go inside the directory containing Noctis‘ images which is Images/Art/Noctis/ and save there our jpeg image whose file name will be Lone Wolf.jpeg. Therefore, the whole name we are going to give to our image in the relative field of the upload page will be: ../Noctis/Lone Wolf since after a few attempts we could realize that the.jpeg extension is automatically added to prevent users from uploading files that are not images. In this way we are going to save our fake Lone Wolf.jpeg in the Noctis‘s directory space replacing its original Lone Wolf.jpeg image.

Path traversal attack

Now, if we to back to the gallery, we will see that the old picture has been replaced by a new one without altering anything else inside the website’s database.

Details page of the Lone Wolf image with the original image replaced by a new one

Game over

Following Heike’s procedure, Carol compromises her rival’s account replacing her successful picture with a funny one Heike gifted to her.

Alice is still leading the ranking but her new image won’t attract too many likes

Such an image it’s like a powerful umbrella that not only stops likes from flooding her account but also makes other users considering removing both the likes they previously gave to her and replacing their previous comments with more shocked ones. As a result, Alice’s image gets hibernated in a long winter while Carols’ Frozen Castle can finally surpass it on the Artbit’s ranking.

The sabotage of Alice’s account allows Carol to get back her top-one position

At the end, Alice can’t do nothing but desperately crying with her friend starring at the playfully image Carol left to her.

Alice seems now having lost her presumptuous disposition

With Alice out of the game, Carol can resume running again on that straight road her rival was obstructing, thus leading her to the high levels of photography.

How to fix it

The way to fix this vulnerability simply consists in not allowing the users to use directory paths as name of their images. For instance, we can prevent it by deleting or replacing all the / characters contained in their images’ name. The following PHP function does right this job where $path contains the name of the image we want to upload:

function escapePathTraversal($path){
    return str_replace("/", "", str_replace(".", "", $path));
}

On the real version of Artbit has been used a similar function to prevent users from repeating Heike’s attack. Anyway, the code has been written such that only the image Lone Wolf of the user Noctis is still vulnerable to this trick. So you are welcome to repeat it and put it a like if you should succeed, or why not, look for other secret vulnerabilities and exploit them to further compromise the website. But I’m sure you can’t 🙂

References

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s