NetworkMiner is a network forensics tool for viewing network traffic. Among other features, it can automatically parse HTTP traffic and create files in a directory structure corresponding to the visited pages.

Since such tools are often used to observe hostile traffic from an attacker, such functionality needs to be safe against network packets which are deliberately designed to exploit bugs in the tool. One such risk for NetworkMiner involves “directory traversal”; if elements such as “../” are not removed from any file paths, then files might be written outside the intended directories, potentially allowing an attacker to create (or overwrite!) files at any writeable location on the filesystem.

NetworkMiner 1.4’s sanitization code removed such path elements early in the parsing process. However, URL unescaping - which converts encoded characters such as %2e to their equivalents such as ‘.’ - is performed at a later stage, allowing an attacker to encode ‘..’ as %2e%2e. This should not be a problem, since the code which creates files performed the following additional sanitization step before using the provided filename:

fileLocation.Replace("..","_");

Unfortunately, C#’s Replace function does not modify a string in-place; since this code fails to assign the result back to fileLocation, it serves no purpose. As such, an attacker could write files to arbitrary filesystem locations if their traffic was being monitored using NetworkMiner.

I reported this issue in February, the vendor acknowledged it within a day, and the flaw was publically disclosed by the vendor in August.