CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Learn about CWE-40 (Path Traversal: '\\UNC\share\name\' (Windows UNC Share)), its security impact, exploitation methods, and prevention guidelines.
What is Path Traversal: '\UNC\share\name' (Windows UNC Share)?
• Overview: CWE-40, Path Traversal: '\UNC\share\name' (Windows UNC Share), occurs when a product improperly handles input that specifies a Windows UNC share, potentially allowing access to unintended locations or files.
• Exploitation Methods:
- Attackers can exploit this vulnerability by providing specially crafted inputs that redirect file operations to a UNC path, potentially accessing sensitive files.
- Common attack patterns include manipulating file path inputs in web applications or software to redirect access to network shares.
• Security Impact:
- Direct consequences of successful exploitation include unauthorized access to files, disclosure of sensitive information, and potential data manipulation.
- Potential cascading effects include further attacks, such as remote code execution if malicious files are accessed and executed.
- Business impact may include data breaches, loss of customer trust, legal liability, and financial losses.
• Prevention Guidelines:
- Specific code-level fixes include validating and sanitizing all file path inputs to ensure they do not resolve to UNC paths unless explicitly intended.
- Security best practices involve employing strict access controls, logging access attempts to sensitive paths, and educating developers about path traversal risks.
- Recommended tools and frameworks include static analysis tools that detect path traversal vulnerabilities and libraries that provide safe file path operations.
Corgea can automatically detect and fix Path Traversal: '\UNC\share\name' (Windows UNC Share) in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
import os
def read_file(file_path):
# Vulnerable to UNC path traversal attack
# This function does not validate the file path, allowing potential UNC paths
with open(file_path, 'r') as file:
return file.read()
# Example of a dangerous input: '\\UNC\share\name\malicious_file.txt'
content = read_file("\\\\UNC\\share\\name\\malicious_file.txt")
The above code is vulnerable to a path traversal attack using Windows UNC paths. The read_file function accepts any path, including UNC paths that could point to unintended network locations, potentially exposing sensitive data or allowing unauthorized access.
How to fix Path Traversal: '\UNC\share\name' (Windows UNC Share)?
To mitigate the risk of path traversal vulnerabilities, especially with UNC paths, you should:
- Input Validation: Validate and sanitize the input path to ensure it adheres to expected formats and directories.
- Whitelist Directories: Restrict access to a set of predefined directories using a whitelist.
- Use Secure Libraries: Employ libraries that handle file paths securely and prevent traversal attacks.
Fixed Code Example
import os
def read_file(file_path):
# Define a whitelist of allowed directories
allowed_directories = ['C:\\trusted_directory']
# Normalize the path to prevent traversal
normalized_path = os.path.normpath(file_path)
# Convert UNC path to a normal path if needed
normalized_path = os.path.abspath(normalized_path)
# Check if the normalized path starts with any of the allowed directories
if not any(normalized_path.startswith(os.path.normpath(dir)) for dir in allowed_directories):
raise ValueError("Access denied: unauthorized file path.")
# Attempt to open the file only if the path is validated
with open(normalized_path, 'r') as file:
return file.read()
# Example usage with a safe path
content = read_file("C:\\trusted_directory\\safe_file.txt")
In the fixed code:
- We normalize the input path using
os.path.normpath()and convert it to an absolute path usingos.path.abspath()to ensure a consistent and secure path format. - We implement a whitelist of trusted directories and ensure that the normalized path starts with one of these directories.
- We raise an exception if the path is not authorized, preventing access to unauthorized or potentially harmful files.
This approach ensures that only files within predefined safe directories are accessible, mitigating the risk of path traversal attacks via UNC paths or other methods.