Skip to content

Latest commit

 

History

History
112 lines (94 loc) · 12.1 KB

attack-tree.md

File metadata and controls

112 lines (94 loc) · 12.1 KB

Attack Tree Analysis for apache/commons-io

Objective: Compromise Application via Commons IO Exploitation

Attack Tree Visualization

  • Compromise Application via Commons IO Exploitation
    • [1.0] Exploit Path Traversal Vulnerabilities [HIGH-RISK PATH]
      • [1.1.1] Leverage FileUtils.readFileToString with Unsanitized Input [CRITICAL NODE]
      • [1.1.2] Leverage FileUtils.copyFile/copyDirectory with Unsanitized Input [CRITICAL NODE]
      • [1.1.3] Leverage FilenameUtils.normalize/getFullPath with Improper Handling [CRITICAL NODE]
      • [1.1.4] Leverage File System Operations with User-Controlled Paths [CRITICAL NODE]
    • [1.2] Write Arbitrary Files (Potentially leading to RCE) [HIGH-RISK PATH]
      • [1.2.1] Leverage FileUtils.writeStringToFile/writeByteArrayToFile with Unsanitized Input [CRITICAL NODE]
        • [1.2.1.1.2] Write malicious files to web-accessible directories (e.g., web shell). [CRITICAL NODE]
      • [1.2.2] Leverage FileUtils.copyFile/copyDirectory with Unsanitized Destination [CRITICAL NODE]
      • [1.2.3] Leverage File System Operations with User-Controlled Paths for File Creation [CRITICAL NODE]
    • [1.3] Delete Arbitrary Files/Directories (DoS or Data Loss) [HIGH-RISK PATH]
      • [1.3.1] Leverage FileUtils.delete/deleteDirectory with Unsanitized Input [CRITICAL NODE]
      • [1.3.2] Leverage FileUtils.cleanDirectory with Unsanitized Input [CRITICAL NODE]
    • [2.1] Resource Exhaustion via Large File Operations [HIGH-RISK PATH]
      • [2.1.1] Read Extremely Large Files using FileUtils.readFileToString/readByteArrayToFile [CRITICAL NODE]
      • [2.1.2] Copy Extremely Large Files/Directories using FileUtils.copyFile/copyDirectory [CRITICAL NODE]
      • [2.1.3] Recursive Directory Operations on Deeply Nested Structures [CRITICAL NODE]
    • [2.3] Zip Slip Vulnerability (Indirectly related via Archive Libraries using Commons IO) [HIGH-RISK PATH]
      • [2.3.1] Application uses Archive Libraries (e.g., Apache Commons Compress) that internally use Commons IO and are vulnerable to Zip Slip when handling user-uploaded archives. [CRITICAL NODE]
    • [3.1] Exposing File Paths in Error Messages [CRITICAL NODE]
      • [3.1.1] Verbose Error Handling with FileUtils Methods [CRITICAL NODE]
    • [4.1] Incorrect File Name Handling with FilenameUtils [CRITICAL NODE]
      • [4.1.1] Misunderstanding FilenameUtils.normalize/getFullPath behavior [CRITICAL NODE]

Attack Tree Path: [1.0] Exploit Path Traversal Vulnerabilities [HIGH-RISK PATH]:

  • Attack Vector: Attackers manipulate user-controlled input to construct file paths used in Commons IO operations, bypassing intended directory restrictions and accessing files/directories outside the allowed scope.
  • Critical Nodes within this path:
    • [1.1.1] Leverage FileUtils.readFileToString with Unsanitized Input [CRITICAL NODE]:
      • Attack: Exploiting FileUtils.readFileToString with unsanitized input to read arbitrary files.
      • Example: Reading sensitive files like /etc/passwd by providing ../../../../etc/passwd as input.
    • [1.1.2] Leverage FileUtils.copyFile/copyDirectory with Unsanitized Input [CRITICAL NODE]:
      • Attack: Exploiting FileUtils.copyFile or FileUtils.copyDirectory with unsanitized source paths to read and potentially copy sensitive files.
      • Example: Copying sensitive configuration files to a temporary directory accessible to the attacker.
    • [1.1.3] Leverage FilenameUtils.normalize/getFullPath with Improper Handling [CRITICAL NODE]:
      • Attack: Bypassing path traversal defenses that rely solely on FilenameUtils.normalize or FilenameUtils.getFullPath without additional validation.
      • Example: Using encoding tricks or specific path combinations that normalize might not fully sanitize, allowing traversal.
    • [1.1.4] Leverage File System Operations with User-Controlled Paths [CRITICAL NODE]:
      • Attack: Exploiting other FileUtils methods like listFiles or directoryContains with unsanitized paths to reveal directory structure or file existence, aiding further attacks.
      • Example: Listing contents of sensitive directories to identify potential target files.

Attack Tree Path: [1.2] Write Arbitrary Files (Potentially leading to RCE) [HIGH-RISK PATH]:

  • Attack Vector: Attackers exploit unsanitized user input to control the destination path in Commons IO write operations, allowing them to write files to arbitrary locations, potentially leading to Remote Code Execution (RCE).
  • Critical Nodes within this path:
    • [1.2.1] Leverage FileUtils.writeStringToFile/writeByteArrayToFile with Unsanitized Input [CRITICAL NODE]:
      • Attack: Exploiting FileUtils.writeStringToFile or FileUtils.writeByteArrayToFile with unsanitized destination paths to write arbitrary content to any location.
      • Example:
        • [1.2.1.1.2] Write malicious files to web-accessible directories (e.g., web shell). [CRITICAL NODE]: Writing a web shell (e.g., JSP, PHP) to the web server's document root to gain remote code execution.
    • [1.2.2] Leverage FileUtils.copyFile/copyDirectory with Unsanitized Destination [CRITICAL NODE]:
      • Attack: Exploiting FileUtils.copyFile or FileUtils.copyDirectory with unsanitized destination paths to copy files to arbitrary locations.
      • Example: Overwriting critical system files or application configuration files.
    • [1.2.3] Leverage File System Operations with User-Controlled Paths for File Creation [CRITICAL NODE]:
      • Attack: Exploiting FileUtils.touch or FileUtils.forceMkdir with unsanitized paths to create files or directories in unintended locations.
      • Example: Creating directories outside the intended application scope, potentially leading to DoS if disk space is exhausted or creating files in sensitive locations.

Attack Tree Path: [1.3] Delete Arbitrary Files/Directories (DoS or Data Loss) [HIGH-RISK PATH]:

  • Attack Vector: Attackers exploit unsanitized user input to control the target path in Commons IO delete operations, allowing them to delete arbitrary files or directories, leading to Denial of Service (DoS) or data loss.
  • Critical Nodes within this path:
    • [1.3.1] Leverage FileUtils.delete/deleteDirectory with Unsanitized Input [CRITICAL NODE]:
      • Attack: Exploiting FileUtils.delete or FileUtils.deleteDirectory with unsanitized paths to delete arbitrary files or directories.
      • Example: Deleting critical application files, configuration files, or even system directories (if permissions allow).
    • [1.3.2] Leverage FileUtils.cleanDirectory with Unsanitized Input [CRITICAL NODE]:
      • Attack: Exploiting FileUtils.cleanDirectory with an unsanitized path to delete files within a directory, potentially deleting important application data.
      • Example: Intentionally cleaning the wrong directory, leading to data loss or application malfunction.

Attack Tree Path: [2.1] Resource Exhaustion via Large File Operations [HIGH-RISK PATH]:

  • Attack Vector: Attackers trigger operations involving excessively large files or directories using Commons IO functions, leading to resource exhaustion (memory, CPU, disk I/O) and Denial of Service (DoS).
  • Critical Nodes within this path:
    • [2.1.1] Read Extremely Large Files using FileUtils.readFileToString/readByteArrayToFile [CRITICAL NODE]:
      • Attack: Requesting to read extremely large files using FileUtils.readFileToString or FileUtils.readByteArrayToFile, causing memory exhaustion and application crash.
      • Example: Requesting to download or process a multi-gigabyte log file, overwhelming the application's memory.
    • [2.1.2] Copy Extremely Large Files/Directories using FileUtils.copyFile/copyDirectory [CRITICAL NODE]:
      • Attack: Requesting to copy extremely large files or directories using FileUtils.copyFile or FileUtils.copyDirectory, causing disk I/O saturation and application slowdown or crash.
      • Example: Initiating a copy operation of a massive backup directory, consuming excessive disk resources.
    • [2.1.3] Recursive Directory Operations on Deeply Nested Structures [CRITICAL NODE]:
      • Attack: Triggering recursive operations like copyDirectory or deleteDirectory on deeply nested directory structures or symbolic link loops, leading to stack overflow, excessive processing time, or application hangs.
      • Example: Copying a directory containing symbolic links that create a loop, causing infinite recursion and resource exhaustion.

Attack Tree Path: [2.3] Zip Slip Vulnerability (Indirectly related via Archive Libraries using Commons IO) [HIGH-RISK PATH]:

  • Attack Vector: Exploiting Zip Slip vulnerability in archive libraries (like Apache Commons Compress) that might use Commons IO internally. This allows writing files outside the intended extraction directory when handling user-uploaded archives.
  • Critical Node within this path:
    • [2.3.1] Application uses Archive Libraries (e.g., Apache Commons Compress) that internally use Commons IO and are vulnerable to Zip Slip when handling user-uploaded archives. [CRITICAL NODE]:
      • Attack: Uploading a malicious ZIP archive containing entries with path traversal sequences (e.g., ../../../../evil.jsp) that, when extracted by a vulnerable library, write files outside the intended extraction directory.
      • Example: Uploading a ZIP file designed to write a web shell to a web-accessible directory during extraction.

Attack Tree Path: [3.1] Exposing File Paths in Error Messages [CRITICAL NODE]:

  • Attack Vector: Verbose error handling in the application reveals sensitive file paths or directory structures in error messages generated by Commons IO operations.
  • Critical Node within this path:
    • [3.1.1] Verbose Error Handling with FileUtils Methods [CRITICAL NODE]:
      • Attack: Application's error handling for FileUtils operations (e.g., FileNotFoundException, IOException) directly exposes file paths in user-facing error messages.
      • Example: An error message displaying "FileNotFoundException: /sensitive/path/config.xml (No such file or directory)" revealing the existence and path of a sensitive configuration file.

Attack Tree Path: [4.1] Incorrect File Name Handling with FilenameUtils [CRITICAL NODE]:

  • Attack Vector: Misunderstanding or incorrect usage of FilenameUtils functions leads to vulnerabilities or unexpected behavior, often related to path traversal bypasses or incorrect file processing logic.
  • Critical Node within this path:
    • [4.1.1] Misunderstanding FilenameUtils.normalize/getFullPath behavior [CRITICAL NODE]:
      • Attack: Developers incorrectly assume FilenameUtils.normalize or FilenameUtils.getFullPath fully sanitize paths and prevent traversal, leading to bypasses when these functions are not used as part of a comprehensive validation strategy.
      • Example: Relying solely on FilenameUtils.normalize and failing to implement further checks, allowing attackers to craft paths that bypass the normalization and still achieve traversal.