aiohttp Directory Traversal Vulnerability (CVE-2024-23334)

By /

aiohttp is an asynchronous HTTP client-server library for Python, designed for handling HTTP requests in a non-blocking way.

Built on Python’s asyncio framework, it allows developers to build web applications, APIs, and web clients capable of handling a high volume of concurrent requests efficiently without traditional threading.

Key Features of aiohttp

  1. Asynchronous: aiohttp uses async and await syntax to handle multiple requests simultaneously, ideal for I/O-bound tasks.
  2. Web Server and Client: It supports both server and client-side HTTP functionality, enabling full web app development or the integration of third-party APIs.
  3. WebSockets Support: aiohttp natively supports WebSockets, which allows for real-time bidirectional communication between clients and servers.
  4. Routing and Middleware: The library offers flexible URL routing, customizable middleware for request handling, and built-in support for JSON handling.
  5. Session and Cookie Management: aiohttp provides utilities for managing sessions and cookies, useful in building user-facing applications that require authentication.

Example Use Cases

  • Microservices and APIs: aiohttp is well-suited for developing lightweight, fast APIs in Python.
  • Real-Time Applications: WebSocket support makes aiohttp ideal for apps that need real-time updates, such as chat applications.
  • Asynchronous Web Scraping: As a client, aiohttp can be used for asynchronous web scraping where multiple requests are sent and handled efficiently.

Example Libraries and Alternatives

For asynchronous programming, aiohttp is often compared to libraries like FastAPI and Sanic, which also leverage asynchronous I/O for high-performance applications but provide different levels of built-in functionality and frameworks.

You can check out the aiohttp documentation for a deeper dive and practical examples of its capabilities.

What is the vilm

Root cause analysis

On January 29, 2024, aiohttp developers released an advisory regarding a directory traversal vulnerability linked to static resource handling configurations. Directory traversal vulnerabilities occur when a web server inadvertently allows access to files outside the intended directory by manipulating file paths. This issue affects aiohttp when configured with follow_symlinks=True, which allows symbolic links to be followed even if they lead outside the server’s specified root directory for static files.

How Static Resource Resolution Works
In web frameworks, static resources are files like images, CSS, and JavaScript that are stored in a specific directory, often named “static.” The web server retrieves these files as requested by the client. When setting up aiohttp to serve these resources, developers specify the static directory and control whether to follow symbolic links.

How the Vulnerability Occurs
When follow_symlinks=True is enabled, aiohttp lacks validation to confirm if the accessed file path remains within the static root directory. Attackers can exploit this by using relative paths (like ../../../etc/passwd) to traverse directories and access restricted files. This is especially dangerous if the server runs with high privileges, potentially exposing sensitive server files to unauthorized access.

Example Code Configuration and Solution
Applications become vulnerable if they contain code such as:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to mitigate
])

Removing follow_symlinks=True will protect against this vulnerability. In the 3.9.2 patch, aiohttp now normalizes paths with os.path.normpath(unresolved_path) and confirms that all resolved paths remain within the static root directory. This approach ensures that symbolic links cannot lead to unintended directories outside the web root.

Using Symbolic Links
Symbolic links, or symlinks, allow references to files in multiple locations without duplication. For example, a file in /var/www/assets/images/ can also be accessible under /var/www/static/images/ by creating a symlink, like this:

ln -s /var/www/assets/images/image.png /var/www/static/images/image.png

With this setup, a single file can be accessed from different paths without duplicating it on the server.

The vulnerability fix in aiohttp 3.9.2 ensures that even with symbolic links, directory traversal outside the intended directory is not possible, enhancing security against unauthorized file access.

Exploiting the vulnerability

For example, a public GitHub repository for educational purposes could still expose code patterns and configurations that are vulnerable, such as a web server setup using aiohttp. Suppose we see the following lines in the server code:

pythonCopy codeapp.router.add_static('/static/',
                      path='static/',
                      follow_symlinks=True)

In this configuration, follow_symlinks=True enables symbolic links in the /static directory. Without additional checks, this setting can allow an attacker to access files beyond the intended directory. For example, attackers might use ../../../ sequences to perform a directory traversal and access files on the underlying system.

Exploiting Directory Traversal with URL Encoding

A common method for accessing files outside the intended directory is by using ../ sequences to “move up” directory levels. While path normalization typically removes these sequences, attackers can bypass this restriction using URL encoding. By encoding ../ as %2e%2e/, attackers can trick the system into recognizing the path without normalization. This tactic works because URL encoding allows characters that might otherwise be restricted, like /, to be transmitted safely.

Here’s an example of how an attacker might use curl to request an encoded path and access a sensitive file:

bashCopy codecurl http://example.com/static/%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Using these techniques, the attacker may reach sensitive files, such as /etc/passwd (if permissions allow) or configuration files that could provide information useful for further exploitation.

Example of Sensitive Files an Attacker Might Access

  • /etc/passwd: Contains user account details.
  • /proc/self/environ: Environment variables, potentially exposing session cookies or API credentials.
  • /proc/version: Kernel version, which may reveal information about potential exploits.
  • /etc/issue: OS version, useful for targeting specific vulnerabilities.

Why Certain Files Might Not Be Accessible

If files like /etc/passwd are missing or unreadable, the server might be running in a Docker container or similar sandboxed environment. Containers often restrict access to system files outside the container’s root, protecting sensitive information on the host system.

Mitigating Directory Traversal Risks

To prevent exploitation of directory traversal vulnerabilities:

  1. Set follow_symlinks=False: Unless symbolic links are absolutely necessary, avoid setting follow_symlinks=True. This change limits traversal outside the static root directory.
  2. Strictly Validate Paths: Check all paths requested for static file access to ensure they stay within the intended directory, using secure methods provided by frameworks.
  3. Repository Security: Set GitHub repositories to private if they contain sensitive code. Only authorized team members should have access to critical configurations and codebases.
  4. Regular Updates: Keep libraries, like aiohttp, updated with the latest patches to secure against known vulnerabilities.

Links :

https://nvd.nist.gov/vuln/detail/CVE-2024-23334

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top