sensepost / DET

(extensible) Data Exfiltration Toolkit (DET)
MIT License
819 stars 189 forks source link

Path traversal and filename control chars #10

Open natronkeltner opened 8 years ago

natronkeltner commented 8 years ago

Looks like 842916dee7a4884dc7eccf102312d50575be01c1 accidentally introduced a path traversal vuln as os.path.pathsep (":") != os.path.sep ("/").

In det.py:

        filename = "%s.%s" % (fname.replace(
            os.path.pathsep, ''), time.strftime("%Y-%m-%d.%H:%M:%S", time.gmtime()))

Also, since you can inject filenames with arbitrary contents, it'd be a good idea to filter the filename to disallow non-ASCII printable characters. Combined with the path traversal, it might be possible to plant a file somewhere that'd abuse globbing ("foo *") in a script somewhere and get RCE out of it. (The tar example here probably wouldn't work, but maybe one could be found.)