CVE-2016-5725
Directory Traversal vulnerability in jsch (Maven)
What is CVE-2016-5725 About?
This directory traversal vulnerability affects JCraft JSch before 0.1.54 on Windows systems, specifically when the mode is `ChannelSftp.OVERWRITE`. It allows remote SFTP servers to write to arbitrary files via a `..\` sequence in a response to a recursive GET command. Exploitation requires a malicious SFTP server, making it moderately difficult.
Affected Software
Technical Details
The directory traversal vulnerability in JCraft JSch occurs on Windows systems when using versions prior to 0.1.54 in ChannelSftp.OVERWRITE mode during a recursive GET operation. A malicious SFTP server can respond to a client's recursive GET request with specially crafted filenames that include the ..\ (dot dot backslash) sequence. Due to insufficient path sanitization or canonicalization in the JSch client, this sequence is not properly stripped or resolved. Consequently, when the client attempts to save the file, the ..\ characters allow it to escape the intended download directory and write files to arbitrary locations on the client's file system, potentially overwriting critical system files or planting malware.
What is the Impact of CVE-2016-5725?
Successful exploitation may allow attackers to write arbitrary files to the file system, leading to system compromise, data corruption, or execution of malicious code.
What is the Exploitability of CVE-2016-5725?
Exploitation of this directory traversal vulnerability requires a compromised or malicious SFTP server that can serve specially crafted filenames to a vulnerable JSch client. The complexity is moderate, as it requires controlling the SFTP server's responses. No authentication is required on the client side beyond establishing an SFTP connection. Privilege requirements on the client system are dependent on the user running the JSch client; if it's running with elevated privileges, the impact is greater. This is a remote vulnerability from the perspective of the server acting maliciously. Special conditions include the client using a vulnerable version of JSch on Windows, operating in ChannelSftp.OVERWRITE mode, and performing recursive GET commands against a hostile SFTP server. The likelihood of exploitation is higher in scenarios where clients commonly connect to untrusted SFTP servers for file transfers.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-5725?
Available Upgrade Options
- com.jcraft:jsch
- <0.1.54 → Upgrade to 0.1.54
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://packetstormsecurity.com/files/138809/jsch-0.1.53-Path-Traversal.html
- http://www.jcraft.com/jsch/ChangeLog
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- http://seclists.org/fulldisclosure/2016/Sep/53
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://access.redhat.com/errata/RHSA-2017:3115
- https://nvd.nist.gov/vuln/detail/CVE-2016-5725
- https://www.exploit-db.com/exploits/40411/
- https://osv.dev/vulnerability/GHSA-q446-82vq-w674
What are Similar Vulnerabilities to CVE-2016-5725?
Similar Vulnerabilities: CVE-2007-0097 , CVE-2010-3861 , CVE-2013-4557 , CVE-2015-7761 , CVE-2018-1002100
