Skip to content

CVE-2021-32061: Path Traversal via dump of malicious bucket #122

New issue
New issue
Closed
#121
Closed
CVE-2021-32061: Path Traversal via dump of malicious bucket#122
#121
Labels
bug
@sa7mon

Description

@sa7mon
sa7mon
opened on Nov 28, 2021

tl;dr

In version 2.0.1 and older of S3Scanner, if a user attempts to dump the contents of a bucket which contains objects with special characters in their keys, those characters can be used to save the files outside of the folder specified with --dump-dir.

Thanks

I'd like to give a huge thanks to a security researcher named RyotaK for reporting this issue to me. They provided a detailed explanation and helped walk me through the steps to reproduce. Very excellent experience.

The Bug

The issue is what's commonly known as a "path traversal" vulnerability. In this case, though, it's the ability to save files outside the intended area as opposed to reading files.

For example: this bucket was created by RyotaK for demonstration purposes.

screenshot of an S3 bucket listing showing a key called '../' and '../test.txt'

See how the object keys contain ../ ? When S3Scanner goes to download that file, it concatenates the dump directory and this key to form the file path the file should get downloaded to. So if a user ran the following command:

s3scanner dump --dump-dir /projects/s3scanner/buckets/ --bucket s3scanner-test-bucket

they would end up with a file called test.txt in /projects/s3scanner/ which is one level up from where they wanted it. By adding a bunch of these characters together (../../../../../) an attacker could craft a malicious object key which would place their file anywhere on the S3Scanner user's system.

You may be surprised (like I was) to learn that AWS allows such characters in object keys. Their documentation explains that while you can do this, there are limitations:

...

In addition, be aware of the following prefix limitations:

  • Objects with a prefix of "./" must uploaded or downloaded with the AWS Command Line Interface (AWS CLI), AWS SDKs, or REST API. You cannot use the Amazon S3 console.

  • Objects with a prefix of "../" cannot be uploaded using the AWS Command Line Interface (AWS CLI) or Amazon S3 console.

In the "real world" the chances of an S3Scanner user encountering a bucket with these "malicious" keys is very low - especially considering I was not able to create such a bucket of my own. This threat poses a fairly low risk since the difficulty of pulling off the attack is a bit high and would only happen if a bad actor was purposely targeting users of this tool.

RyotaK has engaged MITRE who has reserved CVE-2021-32061 for this vulnerability. The CVE will be updated after this advisory has been posted.

Remediation

The good news is that I have already pushed the fix for this issue (#121). If an object to be downloaded has a key that would land outside of the --dump-dir, the file won't be downloaded. The user will get a message that looks like this:

Screenshot showing the command-line output of trying to dump the bucket referenced above which contains bad object keys. S3Scanner has skipped the files with relative path characters in their keys.

I'll be drafting the v2.0.2 release to push out this update across the git repo, PyPi package, and Docker image.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions