Land #7932, Fix CVE-2017-5229

2017-02-07 19:22:36 -06:00 · 2017-02-07 19:22:36 -06:00 · 74e029f3b1
parent 522c6dce8e 68a5d300fe
commit 74e029f3b1
1 changed files with 11 additions and 3 deletions
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb
@ -373,6 +373,12 @@ private
  def download_file( dest_folder, source )
    stat = client.fs.file.stat( source )
    base = ::Rex::Post::Meterpreter::Extensions::Stdapi::Fs::File.basename( source )
+
+    # Basename ends up with a single name/folder. This is the only point where it
+    # may be possible to do a dir trav up one folder. We need to check to make sure
+    # that the basename doesn't result in a traversal
+    return false if base == '..'
+
    dest = File.join( dest_folder, base )

    if stat.directory?
@ -386,6 +392,8 @@ private
        client.framework.events.on_session_download( client, src, dest ) if msf_loaded?
      }
    end
+
+    return true
  end

  def parse_dump(dump, get_images, get_files, download_path)
@ -406,15 +414,15 @@ private
          print_line(v)

        when 'Files'
-          total = 0
          v.each do |f|
            print_line("Remote Path : #{f[:name]}")
            print_line("File size   : #{f[:size]} bytes")
            if get_files
-              download_file( loot_dir, f[:name] )
+              unless download_file(loot_dir, f[:name])
+                print_error("Download of #{f:name]} failed.")
+              end
            end
            print_line
-            total += f[:size]
          end

        when 'Image'