An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.
chroot()
system call could allow attackers to escape a chroot jail.chroot()
system call allows a process to change its perception of the root directory of the file system. After properly invoking chroot()
, a process cannot access any files outside the directory tree defined by the new root directory. Such an environment is called a chroot jail and is commonly used to prevent the possibility that a processes could be subverted and used to access unauthorized files. For instance, many FTP servers run in chroot jails to prevent an attacker who discovers a new vulnerability in the server from being able to download the password file or other sensitive files on the system.chroot()
may allow attackers to escape from the chroot jail. The chroot()
function call does not change the process's current working directory, so relative paths may still refer to file system resources outside of the chroot jail after chroot()
has been called.
chroot("/var/ftproot");
...
fgets(filename, sizeof(filename), network);
localfile = fopen(filename, "r");
while ((len = fread(buf, 1, sizeof(buf), localfile)) != EOF) {
fwrite(buf, 1, sizeof(buf), network);
}
fclose(localfile);
GET
command. The FTP server calls chroot()
in its initialization routines in an attempt to prevent access to files outside of /var/ftproot
. But because the server fails to change the current working directory by calling chdir("/")
, an attacker could request the file "../../../../../etc/passwd
" and obtain a copy of the system password file.java.io
package.FileResponse
instance with user input could allow an attacker to download application binaries or view arbitrary files within protected directories.
from django.http import FileResponse
...
def file_disclosure(request):
path = request.GET['returnURL']
return FileResponse(open(path, 'rb'))
...