A directory traversal vulnerability occurs when a web application fails to properly sanitize user input before using it to access data or configure settings. In order for an attacker to exploit a directory traversal vulnerability, they must first convince a user to visit a specially crafted website. For example, an attacker could trick a user into visiting an untrusted or compromised website by sending the user a link via email, posting it to a social networking site, or setting up a malicious webpage on a compromised hosting server. A directory traversal vulnerability may also be leveraged when a user browses to a malicious website on the internet. For example, some hacker groups have used compromised websites to host malware, or launch phishing attacks that trick users into providing login credentials.

CVE-2022-29299

This vulnerability is currently assigned CVE-2022-29298.
A directory traversal vulnerability is a type of injection attack that allows malicious users to access files on a web server that they otherwise would not be able to access. This particular vulnerability allows the attacker to browse through directories on the target server, thus allowing them to read any data stored in these folders. A directory traversal attack may also be used to change configuration settings on the target server. The most common exploitation of this vulnerability occurs when visiting a compromised website as it provides easy way for attackers to trick users into visiting an exploit site that contains a malicious iframe or other code that exploits the issue.

Summary

A directory traversal vulnerability allows an attacker to access the file system of a web application. This type of vulnerability is considered a cross-site scripting (XSS) vulnerability because it allows an attacker to execute scripts in another website.

Vulnerability overview

A directory traversal vulnerability can be exploited to access sensitive data, or configure settings on the web application. If an attacker is able to navigate past the intended protection mechanisms of a web application, they may be able to read or modify any data that is located on that system. Successful exploitations of this vulnerability often result in the disclosure of sensitive information and/or the modification of configuration settings on a website. For example, if an attacker could access the database structure via this vulnerability and then delete all records in that database, they could potentially delete all company data.

Get Started with File System Exploitation

Directory traversal vulnerabilities can be exploited in different ways. In order to exploit this vulnerability, the attacker must first convince the victim to visit a specially crafted website or attempt to browse to a malicious website on the internet. For example, some hacker groups have used compromised websites to host malware and launch phishing attacks that trick users into providing login credentials. The directory traversal vulnerability may also be leveraged when a user browses to an untrusted or compromised file system. For example, a malicious website could upload PHP scripts that are executed when users visit the site. If you're looking for some guidance on how you can get started with file system exploitation, I recommend checking out this blog post from my colleague, Josh Mitchell.

Josh's blog post goes over many of the steps you'll need to take in order to successfully hack and exploit these vulnerabilities, as well as what tools are necessary for success.

Josh's blog post is available here: https://www.sans.org/blog/filesystem-exploitation-step-by-step-with-josh

Exploit

# Exploit Title: SolarView Compact 6.00 - Directory Traversal
# Date: 2022-05-15
# Exploit Author: Ahmed Alroky
# Author Company : Aiactive
# Author linkedin profile : https://www.linkedin.com/in/ahmedalroky/
# Version: ver.6.00
# Vendor home page : https://www.contec.com/
# Authentication Required: No
# CVE : CVE-2022-29298

# Tested on: Windows

# Exploit: http://IP_ADDRESS/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg

Timeline

Published on: 05/12/2022 16:15:00 UTC
Last modified on: 06/03/2022 18:15:00 UTC

References